View Other User Private Livestream Data

  • There’s “TL;DR” section for those who only need the main point of this write-up.
  • I really apologize if my write-up is bad.

I. TL;DR

  • Facebook has a query to fetch the Livestream data.
  • Surprisingly, it’s vulnerable to IDOR.
  • Then I was able to view private data from other user’s Livestream.

II. Introduction

  • Blocked user list
  • Broadcast config
  • Charity data

III. The Findings

LiveProducerProviderRefetchQuery

IV. Takeaways

  • Crawl a page and check your Burp “Site Map” (especially, graphql folder) or proxy history, because it may contain vulnerable query that leads to IDOR or any weird bugs.
Turn on “Live passive crawl”
SUSpicious query
  • Intercepting request when you click a button (like add friend button, delete button, etc), because the button may contain vulnerable query.
SUSpicious button

V. Timeline

--

--

--

Your bio appears on your Profile and next to your stories. Max 160 characters.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Arbitrary File Download

Are We Ready for a Password-less Future?

Sorbet Finance Vulnerability Post Mortem

FuzzingAroundNet 0x01

Detecting Malicious Node in Wireless Sensor Network Using Packet Delivery Ratio

Privacy, Security and Anonymity Mini Guide & Links

Never leave this tip while you hunting Broken Access Control

What’s VPN And Why Should You Care?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Geva-Kun

Geva-Kun

Your bio appears on your Profile and next to your stories. Max 160 characters.

More from Medium

InSecure Design Vulnerabilities: What are they and Why they Occurs

Changes in OWASP Top 10: 2017 vs 2021

Hashing and Salting

Root Detection Bypass with Visual Studio Code