Vulnerability In Facebook Insights API [ Solved ]

Insights are the vital part of any analysis, whether it is used for strategical purpose or just to know the figures in the field of demographics.

Many security researchers come across Facebook vulnerabilities but the major problems are awarded and taken care of, after reporting it.

The vulnerability which was found out yesterday by a security researcher Mr. Deepak Kumar Nath was awarded a 2000$ and was fixed quickly by the Facebook security team. Let us know more about the vulnerability it had.

The following vulnerability has been explained by the concerned security expert :

Using a regular access_token of an installed application with read_insights permission allows one to see the full detailed insights endpoint. Using this method, one was able to see full demographic breakdowns for Poke in Facebook.

According to API documentation on insights https://developers.facebook.com/docs/reference/api/insights/

Insights can be retrieved only as an array.
To read Insights you need —-
# a generic access_token for the publicly available application_active_users metric
# a generic app access_token for all Insights for that app
# read_insights permissions for all apps, pages and domains owned by this user,

(https://developers.facebook.com/…/reference/api/application/)
Accroding to the facebook architecture,Permissions are stated as “read_insights for an admin, or App access_token“
From this, all I need to do is hit an OAuth point/section that provides me a way to grant myself read_insights permission.

Proof of Concept :

# Just by clicking on this link we got the information about that…

Vulnerable Link :
https://www.facebook.com/dialog/oauth?response_type=code

https://www.facebook.com/dialog/oauth…

Check with an API call either in cURL or the Graph API Explorer using the newly obtained access token to ensure the read_insights permission is there “/me/permissions”

Execute a second call to “/app/insights”…

We will keep you updated with the latest happening vulnerabilities for security purposes, stay tuned.

A freelance tech journo who started TechLegends. He has had bylines at a variety of publications that include Ubergizmo & Tech Cocktail. You will usually see cats dancing to the beautiful tunes sung by him. He is also keeping up with his B.Tech in Comp. Sc.

LEAVE A REPLY