[Facebook] Deleted User Website information disclosed

 There was a deprecated API call which was still fetching deleted or changed user added website information. Even after applying "Profile Lock" feature.

POC -

An API call made like this "user_ID?fields=website" to the Graph servers, with a FB4A access token was responding with website information of the given User with the information which was deleted or modified.

As - {"website": "http://hackingmonks.net/","id": "100006290410252"}

Timeline -

Reported - Friday, April 9, 2021

Triaged - Tuesday, April 13, 2021

Fixed - Monday, May 24, 2021 

Rewarded - Friday, June 4, 2021

Popular posts from this blog

[Google] Access to BGP server + DOM XSS

[Google] YouTube "restconf" Swagger-UI XSS

[Google] Disclose hidden Blogger profile Display name and Profile photo