Hidden Services Exposed on Facebook(Meta) Business Pages (Bounty -$1638)
Vulnerability:
The Facebook(Meta) Business platform allows business page administrators to create two types of services: public services, visible to all users, and hidden services, accessible only to the admin. While this feature grants admins flexibility in managing their offerings, a flaw has been identified.
During editing of a hidden service, i observed a parameter service_photo_id exists. This parameter links to the image associated with the service. The vulnerability lies in the fact that any other page admin, belonging to a different organization, can potentially access this hidden service images.
Impact:
This seemingly innocuous manipulation can have dire consequences. By changing the service_photo_id to the value associated with another organization's hidden service, the attacker gains unauthorized access to that hidden service's photo. This photo could potentially contain sensitive information, such as:
- Personal data: Images with identifiable faces or documents containing private information.
- Trade secrets: Internal product mockups, confidential documents, or marketing strategies.
Timeline:
- 4 April 2021 : Report submitted
- 7 April 2021 : Triage
- 11 August 2021 : Closed as Duplicate
- 6 September 2021 : Reopen the report
- 15 October 2021 : Fixed and Bounty rewarded $525
- 17 October 2021 : Bypass sent
- 4 March 2022 : Fixed and Bounty rewarded $575
- 1 April 2022 : Bypass sent
- 10 June 2022 : Fixed and Bounty rewarded $538
