i found bug in Graph API on Facebook Rights Manager leads to the non-business employee to Disclosure of business employee
Summary:
Vulnerability Type: Identification / Privacy
Product Area: Pages
The malicious user can Disclosure of business employee to non business employee using Reference Files in Rights Manager
Description:
Facebook offers a Copyrighting Video manager for video content creators for pages on Facebook, Through which the creator can follow who copies their videos and republishes them without permission. More info : "https://rightsmanager.fb.com/"When accepting your request to activate the tool on your page enter your page from "Business admin account" go to the link "https://web.facebook.com/YourPage/publishing_tools/?section=ALL_REFERENCE_FILES" then add Reference video, after add Reference file Look at the column "Date Added" You'll see that the column contains your account information.
Now if (Admin,Editor) page employee go to the link "https://web.facebook.com/YourPage/publishing_tools/?section=ALL_REFERENCE_FILES" you can identification business admin Just by looking at the "Date Added" column,
Impact:
Disclosure of business employee identity to non business employee.Explain impact:
Business employee's identity is disclosed to a non-business page admin through the Rights Manager video_media_copyrights Graph API. Normally, business admins are hidden to non-business page users.Setup:
use this link to learn how to add copyright manger in your page "https://rightsmanager.fb.com/"Steps:
1. Create Page and add Editor to page employee.2. Create business account.
3 Link the page with business manger.
4. Use this link to learn how to add copyright manger in your page "https://rightsmanager.fb.com/"
5. after accepting copyright manger in your page upload any video
6. Now from admin business account go to the link "https://web.facebook.com/YourPage/publishing_tools /?section=ALL_REFERENCE_FILES"
7. Click in "Add Files" Then add video to Reference Files.
8. Now if Admin or Editor in page employee go to the link "https://web.facebook.com/YourPage/publishing_tools/?section=ALL_REFERENCE_FILES" can detect business admin
PoC Get Request :
GET /v2.6/YourPage/video_media_copyrights?access_token=Editor_Token&fields=["creator"] HTTP/1.1
Host: graph.facebook.com
Response:
{
"data": [
{
"creator": {
"name": "Jafar Abo Nada",
"id": "100002271816418"
},
"monitoring_status": "COPYRIGHTED",
"id": "2511847998861026",
"reference_owner_id": "936928013019707"
},
ليست هناك تعليقات:
إرسال تعليق