Workplace Logo ID to workplace owner name DisclosureFacebook Bug Bounty

Hi It’s me Ajay Gautam, Security Researcher at Saycure and currently studying BIT (Hons) Computing. Today, I am going to share one of mine facebook valid issue that i discovered in 2018.

I was able to see the workplace owner name via their logo ID, if the ID of the workplace logo was identified.

While we replace the event’s cover picture id to workplace logo id of other’s then, guess what happened? I was surprised seeing owner’s name in the response.

Workplace owner can only upload the logo of its workplace and the ID disclosed in workplace is the ID of admin itself.

So, during the journey of the vulnerability, Firstly, i created an event on my own workplace…

Then after, I uploaded a cover picture in the event and opened it in new tab.

After the cover picture was uploaded successfully, I replaced the fbid with the workplace logo id of another workplace
 and the url link displayed as mentioned below:

And finally owner name was disclosed. Please see the POC video for the detail clarification of the vulnerability.

Source link

Show More

Leave a Reply

Pin It on Pinterest

Share This

Share this post with your friends!