Revealing Facebook Employees’ Pictures and Profiles in Official Announcement Messages (Bug Bounty)

The vulnerability could have allowed a malicious actor to reveal the pictures and Facebook profiles of employees who create official announcement messages (which are supposed to appear to users as coming from Facebook).

My involvement began when I received a notification about a Facebook Bug Bounty Program announcement.

While reviewing the HTTP history in Burp, I noticed that a GraphQL request was triggered as I browsed the announcement page.

Upon analyzing the response, I discovered a field labeled “creator_profile_pic_uri” which returned a URL containing a picture ID:

I copied the picture ID from the link and inserted it into the following URL: https://www.facebook.com/photo?fbid=X

This action displayed the profile picture and profile of the Facebook employee who had created the announcement.

Reproduction Steps

1) Send a POST request to https://www.facebook.com/api/graphql/ with CSRF parameters and the following parameters in the request body:

&variables={“input”:{“trigger_event_type”:”OPEN_SUPPORT_INBOX”,”trigger_session_id”:”0",”selected_support_inbox_item_id”:”X”},”scale”:2}&doc_id=355954265079591

(Where X is the ID of the Facebook announcement message)

2) Search for “creator_profile_pic_uri” on the returned GraphQL response

3) Grab the picture ID from creator_profile_pic_uri’ and insert it on the following URL: https://www.facebook.com/photo?fbid=Y (Where Y is the picture ID)

Timeline

January 8, 2021: Reported
January 8, 2021: Acknowledged by Facebook
January 14, 2021: Fixed by Facebook
February 1, 2021: Bounty awarded by Facebook. 💰

Amine Aboud

Twitter: https://twitter.com/amineaboud