This is how i was able to See and Delete your Private Facebook Portal photos

Hello everyone! Myself Abhishek Pathak from Gorakhpur, Uttar Pradesh, I’m 17 years old. This is my second Bug Bounty from Facebook (Meta Platforms, Inc)

About Facebook Portal

Facebook Portal is a multi functional app mainly designed for Portal devices which helps to make calls, create/share albums and photos to connected Portal devices, although it works without a Portal device too.

Description

This bug could have allowed a malicious user to view and delete a targeted photo on Facebook Portal app without having access of victim’s login credentials or album ownership

Impact

Private photos of users could be read and deleted improperly, a malicious user could have been able to permanently remove/delete user’s photos from their secret albums, add photos to malicious album and regenerate a valid CDN url of photos.

Story

One day i was using my android smartphone while enjoying my tea, while scrolling Facebook homepage i saw an ad of “Facebook Portal video calling devices” just after seeing the ad i became very curious to explore it more.

After some research i’ve found that Portal video calling devices has an official app called “Facebook Portal” on Google Play store.

Without thinking twice i instantly installed it to check how does it works and what’s inside it.

After seeing this homepage i got to know that it’s a photo sharing app, so decided to check backend stuffs of upload functionality by intercepting the traffic through proxy tools (ie. BurpSuite, Charles, Fiddler)

But unfortunately laptop’s battery was dead so decided to do all the traffic intercepting stuff on my android smartphone through HttpCanary proxy.

Repro Steps

Created two Portal users UserA and UserB, where UserA is Victim and UserB is Malicious User or Attacker.

  • Clicked on upload button, selected an image and clicked on “Add 1 Photo”.
  • Clicked on “New Album” to upload that selected image in newly created album.
  • Just after uploading the image i got the details of uploaded media in request response like Media ID, CDN Url, etc.
  • Copied that Media ID from response to test it further.
  • Did everything same as UserA but this time i noticed something new.
  • While checking all the requests in HttpCanary, I’ve found this endpoint which creates the Album, but most importantly some of the parameters were empty, Mainly “album_media_ids” was empty.
  • I was curious to know what will happen if i append/add UserA’s Media ID in this empty array/list.

Vulnerable Endpoint Details (Sensitive Data is REDACTED)

Endpoint:

https://graph.facebook.com/graphql

Request Body:

access_token=[REDACTED]&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=BPPhotosHubAlbumGraphQLHelperCreateAlbumMutation&variables={"album_media_ids":["[REDACTED]"],"name":"Portal Uploads","cover_photo_id":null,"scale":2.75,"thumbnail_size":null}&server_timestamps=true&doc_id=[REDACTED]

  • I immediately replaced [] with [“135XXXXXXXXXX39”] where 135XXXXXXXXXX39 was UserA’s Media ID and sent the request.
  • Well it didn’t gave me any error like “You are not allowed to perform this action” or “You are not allowed to access/upload this media” instead gave a valid response with media CDN url just because it was not verifying the Owner ID of that particular Media in backed, due to this misconfiguration it was vulnerable to an IDOR attack.
  • When i opened UserB’s Facebook Portal app, saw that UserA’s Photo has been added in newly created album.
  • Well now i decided to delete the Photo from UserB’s newly created album to see what will happen in UserA’s account.
  • I immediately deleted that photo from UserB’s album and checked UserA’s account.
  • Well! Well! Well, The photo was deleted from UserA’s album too.
  • I stopped the testing process and made the vulnerability report to Facebook WhiteHat program.

Bonus

The “cover_photo_id” json parameter was also vulnerable along with “album_media_ids”

Timeline

16 Sept 2021 — Initial Report

19 Sept 2021 — Asked For An Update

21 Sept 2021 — Triaged

28 Sept 2021 — Fixed

28 Sept 2021 — Confirmation of Fix

13 Oct 2021 — $$$$$ Bounty Awarded by Facebook

Thank you for reading this write-up!

You can follow me on Twitter @pathleax