Skip to main content

How I could have hacked Facebook Analytics to view any Facebook page's Analytics- $7500


Hi,
This post is regarding one of my findings in Facebook which could have allowed anyone to view the Facebook Analytics of any Facebook page without having any roles on the page.

 Bug:  Bug in Facebook Analytics which allows an attacker to view analytics of any Facebook page without having any roles on the page.

POC Steps

The API call to create an event source group is like below.
"GET /v2.10/1234/event_source_groups?" 
where "1234" is the business account id and it accepts the parameters, name and event_sources .
The parameter event_sources can contain the id of page,app,pixel or offline event set.
After some testing, I found that while adding a page object as an event source, there are no security checks at this end point to check whether authorized user is making the request or not.
In addition to this, I found other two end points as well which is vulnerable.

1)While making a POST request to an existing event source group.
2)At the "external_event_sources" edge  in a Product Catalog.

This allowed me to add victim's page(in which I do not have any roles/access) as an event source to the new event source group.
The response was like below.
/**/ __globalCallbacks.f1282beea9a7e38({"id":"99999"}); 
Where 99999 is the id  of the new event source group created.
I was curious to see whether this event source group was listing victim's page or not!
I opened the link "https://facebook.com/analytics/99999 " and clicked on Settings. 
Confirming my guess, I saw the victim's page listed there.



I just clicked on the page and it opened the Analytics of Victim's Page
Ie, I got complete access to the analytics of victim's page in which I do not have any roles :)
I was able to view all the details, create dashboards, and do all other activities here.

 Mitigation and Fix

I reported this bug to Facebook on October 16th. Initially it took time to get the 1st update and and got it on 22nd.
Within 30 minutes after the acknowledgment, Facebook removed Event Source Group Creation as a temporary fix showing the criticality of the bug.
Also the security team member Mesut asked me to confirm the temporary fix.




When I tried through API call, got below error as well.

"/**/ __globalCallbacks.f33f5867ddcb64c({"error":{"message":"(#2) Service temporarily unavailable","type":"OAuthException","is_transient":true,"code":2,"fbtrace_id":"C\/kcS9baO6b"}});"
After few days, I checked again and saw a permanent fix. All the endpoints now returns the below response for unauthorized calls.
"
/**/ __globalCallbacks.f35ce9b15337664({"error":{"message":"(#10) Error creating event source group. Verify that you have permissions on all event sources.","type":"OAuthException","code":10,"fbtrace_id":"Dr6Dam4AIJ5"}});"
As this could have allowed anyone to view the Analytics of any Facebook page without any special permissions, I got a nice bounty for the same.



I am thankful to the Facebook Security team for the quick fix and for the awesome bounty :)
Report timeline

16th October, 2017 - Bug Reported
22nd October, 2017 - Mesut from Facebook Security confirmed the bug and sent to product team.
22nd October, 2017 - Asked for the confirmation of temporary fix and I confirmed the same.
28th October, 2017 - Confirmation of the permanent fix by me.
1st November, 2017 - Bounty awarded. 7500 USD.

Comments

  1. Bella3 October 2019 at 00:26

    Informative post. Thanks for sharing.
    ๐Ÿ“ŒStocks4all.com๐ŸŒ is Coming soon............๐Ÿฅ๐Ÿฅ๐ŸŽŠ๐ŸŽ‰
    Follow this page to get noticed when we launch the website Few days to Go......
    Like๐Ÿ‘ & share๐Ÿ‘ฅ this page to get the best information on stocks...✍️๐Ÿ’ฏ

    Stocks4all

    ReplyDelete
  2. Blogger24 February 2020 at 11:33

    Strange "water hack" burns 2lbs overnight

    Well over 160 000 women and men are utilizing a simple and secret "liquids hack" to drop 2 lbs every night in their sleep.

    It is effective and it works all the time.

    This is how you can do it yourself:

    1) Go get a glass and fill it up with water half full

    2) Now follow this crazy hack

    you'll be 2 lbs thinner the next day!

    ReplyDelete
  3. riyaz6 June 2020 at 07:14

    I would definitely thank the admin of this blog for sharing this information with us. Waiting for more updates from this blog admin.
    Android Training Institute in Chennai | Android Training Institute in anna nagar | Android Training Institute in omr | Android Training Institute in porur | Android Training Institute in tambaram | Android Training Institute in velachery

    ReplyDelete

Post a Comment

Popular posts from this blog

Setting up tests for any App or Pixel using Facebook's Test and Learn feature

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to set up tests for apps/pixels to which he does not have any roles/access. Bug: Bug in Facebook's "Test And Learn" Feature which allows an attacker to set up tests for apps/pixels to which he does not have any roles/access and to view the test results. POC Steps Users can setup tests from the url  https://facebook.com/test-and-learn/?act=12345 where 12345 is ad account id.(Refer https://www.facebook.com/business/help/1575448755848995) The bug was in the 2nd test option "How many conversions are all my Facebook ads causing?" Click on "Set up Test", enter a test name and select any of your apps/pixel as the event source and select the schedule. The API call to setup a test is like below. "POST /v2.10/me/ad_studies?"  There were no security checks at this end point to check whether authorized user is making the request or not. In this reques
4 comments
Read more

How I could have made your products Out of Stock in Facebook Pages!

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to toggle the stock status of products created by admins of a Facebook page. Bug: Toggling the stock status of Products created by any Facebook page without having any  roles on the page POC Steps Page admins can create/manage Facebook products on their page. There are options available for the admins to mark a product as "In Stock" or "Out of Stock" by sending a POST request to the endpoint "/pages/content_tab/products/update_inventory/?" This endpoint accepts the below three main parameters.   av: the page id   product_group_ids[]: An array of product group ids for batch update.   inventory_in_stock : true or false(In Stock or Out of Stock) Security checks were missing at this endpoint which allowed me to change the stock status of any product group id. Now, to exploit this vulnerability, we need the product group id of victim's product. The pro
1 comment
Read more