I was able to see the workplace owner name via their logo ID, if the ID of the workplace logo was identified.
While we replace the event’s cover picture id to workplace logo id of other’s then, guess what happened? I was surprised seeing owner’s name in the response.
Workplace owner can only upload the logo of its workplace and the ID disclosed in workplace is the ID of admin itself.
So, during the journey of the vulnerability, Firstly, i created an event on my own workplace…
Then after, I uploaded a cover picture in the event and opened it in new tab.
After the cover picture was uploaded successfully, I replaced the fbid with the workplace logo id of another workplace
and the url link displayed as mentioned below:
And finally owner name was disclosed. Please see the POC video for the detail clarification of the vulnerability.