View Other User Private Livestream Data

بِسْمِ للَّٰهِ لرَّحْمَٰنِ لرَّحِيمِ

Hey, welcome to this write-up!

Note:

  • There’s “TL;DR” section for those who only need the main point of this write-up.
  • I really apologize if my write-up is bad.

Enjoy :)

I. TL;DR

  • Surprisingly, it’s vulnerable to IDOR.
  • Then I was able to view private data from other user’s Livestream.

II. Introduction

  • Blocked user list
  • Broadcast config
  • Charity data

and many more.

This query should only be used for the Livestream owner.

III. The Findings

Then, I found a query named “LiveProducerProviderRefetchQuery” and noticed there’s a “videoID” parameter:

LiveProducerProviderRefetchQuery

Immediately I messing with it by changing the “videoID” parameter to another user Livestream ID, and boom it’s shows some private data that I mentioned above. Alhamdulillah

IV. Takeaways

  • Crawl a page and check your Burp “Site Map” (especially, graphql folder) or proxy history, because it may contain vulnerable query that leads to IDOR or any weird bugs.
Turn on “Live passive crawl”
SUSpicious query
  • Intercepting request when you click a button (like add friend button, delete button, etc), because the button may contain vulnerable query.
SUSpicious button

V. Timeline

July 16, 2020 — Triaged by Facebook team

November 12, 2020 — Bounty rewarded

April 24, 2021 — Vulnerability patched

Alhamdulillah, finally this write-up ends here.

Hit me up if you have any inquiries: https://twitter.com/Geva_7

Your bio appears on your Profile and next to your stories. Max 160 characters.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store