Facebook IDOR bug in GraphQL
Acknowledged by "FaceBook" Security Team
Today in Amman, Jordan
Got acknowledged by Facebook Security Team After discovering a security issues in a "portal" store "https://portal.facebook.com" A store dedicated to the sale of "Portal and Portal+" devices provided by Facebook recently.
The vulnerability type "IDOR": allows any potential attacker to change the account settings for another user
حصلت على أعتراف من الفريق الامني في شركه فيسبوك بعد أبلاغي عن خلل أمني متجر https://portal.facebook.com المخصص لبيع أجهزة الاتصال portal & portal+ التي وفرتها فيسبوك مؤخرا.
نوع الثغره "IDOR" تسمح لأي مهاجم محتمل بتغير اعدادت الحساب لاي مستخدم اخر على خدمة https://portal.facebook.com
PoC : https://youtu.be/lY_5FHhRVko
HOF : https://web.facebook.com/whitehat/thanks/
Timeline:
10/10/2018 Me, Submitted Report
15/10/2018 FB, Need More Info and Sent a reply
18/10/2018 FB, Need More Info and Sent a reply
22/10/2018 FB, Reproduce my report
25/10/2018 FB, Report Triaged
07/11/2018 Me, Ask any update?
14/12/2018 Me, Ask Any Update?
25/01/2019 Me, Ask Any Update?
26/02/2019 Me, Ask Any Update?
26/02/2019 FB, Apologize to daley!!
01/03/2019 Me, ask any update?
15/04/2019 Me, ask any update?
15/04/2019 FB, Issue Fixed and confirm
29/04/2019 FB, bounty awrded