Hey, welcome to this write-up!
What I’ve found is only from Allah’s will, actually I’m nothing.
Note:
- There’s “TL;DR” section for those who only need the main point of this write-up.
- I really apologize if my write-up is bad.
Enjoy :)
I. TL;DR
- Facebook has a query to fetch the Livestream data.
- Surprisingly, it’s vulnerable to IDOR.
- Then I was able to view private data from other user’s Livestream.
II. Introduction
There’s a query named “LiveProducerProviderRefetchQuery”, the query provide a lot of private data such as:
- Blocked user list
- Broadcast config
- Charity data
and many more.
This query should only be used for the Livestream owner.
III. The Findings
As far as I can remember, I just messing around Live Streaming feature that is located at https://www.facebook.com/live/producer/, what I do is intercepting requests when I access the page, and hope I’ll found a vulnerable query.
Then, I found a query named “LiveProducerProviderRefetchQuery” and noticed there’s a “videoID” parameter:
Immediately I messing with it by changing the “videoID” parameter to another user Livestream ID, and boom it’s shows some private data that I mentioned above. Alhamdulillah
IV. Takeaways
I strongly recommend y’all to take your time for:
- Crawl a page and check your Burp “Site Map” (especially, graphql folder) or proxy history, because it may contain vulnerable query that leads to IDOR or any weird bugs.
- Intercepting request when you click a button (like add friend button, delete button, etc), because the button may contain vulnerable query.
V. Timeline
July 7, 2020 — Report sent
July 16, 2020 — Triaged by Facebook team
November 12, 2020 — Bounty rewarded
April 24, 2021 — Vulnerability patched
Alhamdulillah, finally this write-up ends here.
Hit me up if you have any inquiries: https://twitter.com/Geva_7