Facebook allows its users to create frames for profile pictures. The users have an option to save the frames in the draft for publishing it in the future.
During the security research on facebook.com web application, it was identified that the `image_id` parameter of the POST /media_effect/swipeable_frame/image/process_background/?image_id=XXXXX HTTP request is vulnerable to Insecure Direct Object Reference. Insecure Direct Object References (IDOR) occurs when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access any resources in the system directly.
This bug could have allowed the attackers to access any draft frame using the image id in the vulnerable request. The response will disclose the CDN URL of draft frame.
POST /media_effect/swipeable_frame/image/process_background/?image_id=1343397992677858 HTTP/1.1
User A uploaded an art while creating a frame and saved the frame in the draft.
User B who is an attacker and wants to view user A’s unpublished frames.
Steps to Reproduce:
1. Log in to facebook.com as User A.
2. Go to https://www.facebook.com/frames/manage/ .
3. Click on the ‘Open frame studio’ button, upload an art in the ‘Create frame’ window, and save the frame in the draft.
3. Log in to facebook.com as User B.
4. Go to https://www.facebook.com/frames/manage/ and click on the “open frame studio” button.
5. Upload an art in the ‘create frame’ pop-up.
6. Intercept the vulnerable request in the Burp Suite.
7. Change the image_id parameter value with the user A uploaded art image id. The draft art CDN url of User A will be disclosed in the API response.
8. Copy the disclosed art CDN url and open it in the browser. The uploaded frame of User A will be displayed in the browser.
January 23, 2021: Bug reported to Facebook
February 18, 2021: Facebook team managed to reproduce the bug at their end.
March 2, 2021: Facebook team resolved the bug and requested to verify the patch.
March 3, 2021: Patch verified
June 12, 2021: Bounty awarded