View Other User Private Livestream Data

بِسْمِ للَّٰهِ لرَّحْمَٰنِ لرَّحِيمِ

Hey, welcome to this write-up!

What I’ve found is only from Allah’s will, actually I’m nothing.

Note:

  • There’s “TL;DR” section for those who only need the main point of this write-up.
  • I really apologize if my write-up is bad.

Enjoy :)

I. TL;DR

  • Facebook has a query to fetch the Livestream data.
  • Surprisingly, it’s vulnerable to IDOR.
  • Then I was able to view private data from other user’s Livestream.

II. Introduction

There’s a query named “LiveProducerProviderRefetchQuery”, the query provide a lot of private data such as:

  • Blocked user list
  • Broadcast config
  • Charity data

and many more.

This query should only be used for the Livestream owner.

III. The Findings

As far as I can remember, I just messing around Live Streaming feature that is located at https://www.facebook.com/live/producer/, what I do is intercepting requests when I access the page, and hope I’ll found a vulnerable query.

Then, I found a query named “LiveProducerProviderRefetchQuery” and noticed there’s a “videoID” parameter:

LiveProducerProviderRefetchQuery

Immediately I messing with it by changing the “videoID” parameter to another user Livestream ID, and boom it’s shows some private data that I mentioned above. Alhamdulillah

IV. Takeaways

I strongly recommend y’all to take your time for:

  • Crawl a page and check your Burp “Site Map” (especially, graphql folder) or proxy history, because it may contain vulnerable query that leads to IDOR or any weird bugs.
Turn on “Live passive crawl”
SUSpicious query
  • Intercepting request when you click a button (like add friend button, delete button, etc), because the button may contain vulnerable query.
SUSpicious button

V. Timeline

July 7, 2020 — Report sent

July 16, 2020 — Triaged by Facebook team

November 12, 2020 — Bounty rewarded

April 24, 2021 — Vulnerability patched

Alhamdulillah, finally this write-up ends here.

Hit me up if you have any inquiries: https://twitter.com/Geva_7

Your bio appears on your Profile and next to your stories. Max 160 characters.