API Object Vulnerability In Facebook Pages Allowed Creation of Ghost FB Posts
A critical Broken Object Level Authorization vulnerability in Facebook Pages was revealed by security researcher Pouya Darabi . Broken Object Level Authorization (BOLA) holds the number 1 spot in the OWASP API Security Top 10 as the most common and most severe API vulnerability. This vulnerability allows potential attackers to create invisible posts under the name of a victim without any authorization or even knowledge of the victim. Consequently, such a post can be accessed through a direct link and sharing this link with other users/groups/ pages allows the viewers to believe that the post originated from the victim page. Clearly such a vulnerability would allow dissemination of misinformation and/or cause severe damage to the victim’s reputation.
In this section we explain step by step actions on how the attacker can create the invisible post and later creates a link that will be shared across several groups.
Facebook Pages are places on Facebook where public figures or businesses can connect with their fans or customers. Anyone with a Facebook account can create a Page or help manage one’s page, as long as they have a role on that Page. Attacker targets the victim’s Facebook page and gets to know the ‘page_id’ by simply intercepting the HTTP transaction while accessing that Facebook page and searching for ‘page_id=’. Let us assume that a sample page_id for the victim page is ‘99999999999’
Creative Hub is an ‘ad’ building platform where an user can create mockup content and collaborate with other users before finalizing and publishing them. While creating a mockup, Facebook creates an invisible post on the selected page for previewing them to the users. Attacker creates this post in his own account on Creative Hub.
Attacker then launches a similar creation/editing request by replacing the ‘page_id’ parameter value with that of the victim ‘page_id’ value that he saved in step 1, in this case with the sample reference value ‘99999999999’. This is where the authorization checks failed because of the BOLA vulnerability and the post is saved without any errors in the victim’s page.
Even though the post is now part of the invisible list of the victim page, the preview of the post won’t be generated on the Creative Hub as this requires a permission for the role called ‘advertiser’ for the post.
But the Share Feature on Facebook’s Creative Hub does not check for any permissions and the API responds with a link that allows preview of the post. The link structure is as follows:
Launching the above preview request in a browser to load the preview generates multiple transactions and one of them is a graphql transaction from which the attacker can get the ‘post id‘ of the invisible post saved in the victim’s page from ‘id’ parameter in response.
Using this collected ‘post id’ from the above transaction attacker prepares a link which can be shared with multiple groups.
The users accessing above shared link by attacker see that the post is displayed as originating from the victim’s page. The impact on the victim would be worse if an attacker could distribute the direct link to the post and spread misinformation in the name of the victim. Typically popular pages allow multiple users to play a role of admin to track their page, post content on behalf of the page owner but in this case the victim page admin never saw this post which was saved in the page and hence they could not review and delete them. The scenario of creating a visible post would have been even worse, luckily that wasn’t the case and Facebook claims this vulnerability was not exploited. Security researcher Pouya Darabi had been awarded a sum of $15000 for the initial report and another $15000 for bypassing the fix Facebook had issued.
How can CloudVector help?
To summarize there are two BOLA issues here: The first one is with the Facebook Page where it allows saving an invisible post; and the second one is with the Share feature in Creative Hub that allows preview of content without any authorization checks. These two issues can be effectively detected with the CloudVector platform which allows to build unique API payload relationships and tracks them. As we described earlier, Facebook apps heavily use GraphQL endpoints. GraphQL is adopted by many modern applications and it comes with its own threat landscape. CloudVector platform is the only solution that can effectively parse the GraphQL content and deploys with out-of-the-box threat detection policies for GraphQL specific-APIs against the OWASP API Top 10 vulnerabilities. Also, CloudVector Enterprise Edition enables corporate and government agency customers to get deep visibility and risk insights into ALL APIs exposed in their environment including the APIs exposed by 3rd party vendors and software.