Facebook gave a $4,750 bug bounty reward to a teenage researcher from Nepal for discovering a vulnerability that might have been abused to reveal the identity of a page's administrator. Businesses can use Facebook Pages to boost brand visibility on the social media network, but the Facebook account that has administrative rights over the page stays private. Sudip Shah, a 19-year-old from Pokhara, Nepal, identified an insecure direct object reference (IDOR) vulnerability in Facebook for Android that may be abused to reveal the identity of the page admin.
Insecure direct object references (IDOR) are a form of access control vulnerability that occurs when an application directly accesses objects using user-supplied input. The term IDOR gained popularity after appearing in the OWASP Top Ten in 2007. It is, however, simply one of several access control implementation errors that can lead to access controls being evaded. IDOR vulnerabilities are most often connected with horizontal privilege escalation, although they can also occur in the context of vertical privilege escalation.
Consider a website that accesses the customer account page via the URL https://insecure-website.com/customer account?customer number=132355 by retrieving information from the back-end database. In this case, the customer number is directly used as a record index in queries made on the back-end database. If no other restrictions are in place, an attacker can simply change the customer number value, allowing them to examine the records of other customers while avoiding access controls. This is an example of an IDOR vulnerability that results in horizontal privilege escalation.
Shah noticed that altering the page id in a request containing a vulnerable endpoint resulted in the broadcaster id parameter in the response containing the admin ID while navigating to another page's live video section in Facebook for Android. “It leads to page admin disclosure which is a privacy issue to the page. The impact is high because the page’s admin information is meant to be kept private and not shown to the public,” the researcher says.
The issue only affected pages with a live video function enabled, although Shah believes that most pages were affected because the feature is present on the majority of them. He further notes that an attacker would have needed a script to automatically modify the page id in the request and capture the broadcaster id in the response for mass exploitation.
The researcher also found a variation of the security flaw in which the attacker might have the admin ID disclosed in the response by including a modified live_video_id in the request. The underlying source of the issue, however, remained the same.