الخميس، 22 أغسطس 2019

Rights Manager Graph API Disclosure of business employee to non business employee

i found bug in Graph API on Facebook Rights Manager leads to the  non-business employee to Disclosure of business employee



Summary:

Vulnerability Type: Identification / Privacy
Product Area: Pages
The malicious user can Disclosure of business employee to non business employee using Reference Files in Rights Manager 

Description:

Facebook offers a Copyrighting Video manager for video content creators for pages on Facebook, Through which the creator can follow who copies their videos and republishes them without permission. More info : "https://rightsmanager.fb.com/"

When accepting your request to activate the tool on your page enter your page from "Business admin account" go to the link "https://web.facebook.com/YourPage/publishing_tools/?section=ALL_REFERENCE_FILES" then add Reference video, after add Reference file Look at the column "Date Added" You'll see that the column contains your account information.

Now if (Admin,Editor) page employee go to the link "https://web.facebook.com/YourPage/publishing_tools/?section=ALL_REFERENCE_FILES" you can identification business admin Just by looking at the "Date Added" column,

Impact:

Disclosure of business employee identity to non business employee.

Explain impact:

Business employee's identity is disclosed to a non-business page admin through the Rights Manager video_media_copyrights Graph API. Normally, business admins are hidden to non-business page users.

Setup:

use this link to learn how to add copyright manger in your page "https://rightsmanager.fb.com/"

Steps:

1. Create Page and add Editor to page employee.
2. Create business account.
3 Link the page with business manger.
4. Use this link to learn how to add copyright manger in your page "https://rightsmanager.fb.com/"
5. after accepting copyright manger in your page upload any video
6. Now from admin business account go to the link "https://web.facebook.com/YourPage/publishing_tools /?section=ALL_REFERENCE_FILES"
7. Click in "Add Files" Then add video to Reference Files.
8. Now if Admin or Editor in page employee go to the link "https://web.facebook.com/YourPage/publishing_tools/?section=ALL_REFERENCE_FILES" can detect business admin

PoC Get Request :


GET /v2.6/YourPage/video_media_copyrights?access_token=Editor_Token&fields=["creator"] HTTP/1.1
Host: graph.facebook.com

Response:

{
    "data": [
        {
            "creator": {
                "name": "Jafar Abo Nada", 
                "id": "100002271816418"
            }, 
            "monitoring_status": "COPYRIGHTED", 
            "id": "2511847998861026", 
            "reference_owner_id": "936928013019707"
        }, 




Follow me on Twitter  @jafar_abu_nada Facebook  Jafar Abo Nada


Timeline:

Jul-8-2019: Report sent

.Jul-12-2019: Facebook Reproduce Report

Jul-15-2019: Confirmation of submission by Facebook

Aug-5-2019: Confirmation of patch by Facebook

Aug-22-2019: Bounty awarded by Facebook


ليست هناك تعليقات:

إرسال تعليق