Internal Paths/Files Leakage via Malformed Access Token on graph.meta.ai
The graph.meta.ai API leaks detailed internal path and file information when a malformed or invalid access token is supplied in a GET request.
Internal Paths/Files Leakage via Malformed Access Token on graph.meta.ai
🧾Description
The graph.meta.ai API leaks detailed internal path and file information when a malformed or invalid access token is supplied in a GET request. Instead of returning a standard OAuth error response, the API exposes internal stack traces and file system paths.
This behavior is triggered by providing a short or malformed token, which leads to a decryption failure within Meta’s internal cryptographic handling logic.
⚙️ Steps to Reproduce
Request:
1
2
3
4
5
6
GET /?access_token={malformed_token} HTTP/1.1
Host: graph.meta.ai
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: close
Response:
Impact
Attackers could exploit this behavior to gather internal information, such as:
- Internal paths
- Files names and handler locations
Timeline
- Reported: May 20, 2025
- Triaged: May 20, 2025
- Fixed: May 23, 2025
- Reward: June 25, 2025
This post is licensed under CC BY 4.0 by the author.