Disclose the FB profile of Facebook employees who create official announcement messages (Bug Bounty)

The vulnerability could have let a malicious user reveal the profile picture and FB profile of Facebook employees who create official announcement messages (supposed to be displayed to users as coming from Facebook).

Everything started when I received a notification regarding a Facebook Bug Bounty Program Announcement.

By checking the HTTP History on Blurp, I noticed that a GraphQL request was trigged while browsing the announcement page.

By analyzing the response of this request, I found a value named “creator_profile_pic_uri” that was returning an URL with a picture ID:

I copied the picture ID present on the link and insert it on the following URL: https://www.facebook.com/photo?fbid=X

The profile picture and FB profile of the Facebook employee who created the announcement was displayed.

Reproduction Steps

1) Send a POST request to https://www.facebook.com/api/graphql/ with CSRF parameters and the following parameters in the request body:

&variables={“input”:{“trigger_event_type”:”OPEN_SUPPORT_INBOX”,”trigger_session_id”:”0",”selected_support_inbox_item_id”:”X”},”scale”:2}&doc_id=355954265079591

(Where X is the ID of the Facebook announcement message)

2) Search for “creator_profile_pic_uri” on the returned GraphQL response

3) Grab the picture ID from creator_profile_pic_uri’ and insert it on the following URL: https://www.facebook.com/photo?fbid=Y (Where Y is the picture ID)

Timeline

January 8, 2021: Reported
January 8, 2021: Acknowledged by Facebook
January 14, 2021: Fixed by Facebook
February 1, 2021: $XXXX Bounty awarded by Facebook.

Twitter: https://twitter.com/amineaboud