pranav

Pranav Hivarekar

NOOB | SECURITY RESEARCHER | PUBLIC SPEAKER

Facebook's API Bug - Exposure of `unpublished links` over graph api

Posted by Pranav Hivarekar on May 08, 2015

Description

The endpoint /me/links is undocumented. We cannot find documentation about how to deal with this endpoint. But combining few api calls we can create unpublished posts.

More information about creating unpublished posts can be found here.
It states that, "It is possible to add some content to the Graph without publishing a news feed or profile story indicating that it has been created. This is useful in a few situations, such as Page posts which are scheduled to go live at a particular time, or when a photo is to be used in a photo comment."

This is very useful for page owners as UNPUBLISHED content will not be shown on page until published. Page admins or people having roles on pages can also schedule the posts to be published later.

After recursive testing, I observed that this edge(/{page-id}/links) is not obeying the rules of an unpublished content. When we create an UNPUBLISHED link via /me/links edge. Then it will be unpublished i.e it won't be visible in feed and a profile story indicating that it has been created will not be shown. So, it is working good on the front end.

But any app or anyone can access the page. So, anyone with their access_token with public_profile permission can access the UNPUBLISHED links.
This can be done via /{page-id}/links edge.

Proof Of Concept

Request

POST /me/links?access_token=redacted

==published=0&message=created by testing&link=http://www.pranavhivarekar.in/ ==

Response
{
"id": "366040680262484"
}

The link is published as unpublished. So, link is public at the moment but it is not shown or linked directly to the page. But there was flaw that allowed anyone with any access_token to view the unpublished links via /me/links endpoint. Now, it is patched and the unpublished links are only accessible to admins/editor or people having roles on pages and not to public.

Thanks to Facebook's team for patching this vulnerability that allowed exposing of unpublished links via API.

Timeline

Apr 12, 2015 10:52pm – Report Sent
Apr 15, 2015 3:50am – Escalation by Facebook
May 7, 2015 11:44pm – Asked about confirmation of fix
May 8, 2015 12:01am – Fixed confirmed by me
May 9, 2015 05:20am – Bounty awarded by Facebook