Facebook Linked Publications
Posted on by Editorial Team

[IDOR] add or remove the linked publications from Author Publisher settings — Facebook Bug Bounty

[IDOR] add or remove the linked publications from Author Publisher settings — Facebook Bug Bounty

Facebook Linked Publications ( Authorship or Author Tag ) feature was designed to give journalists more credit and visibility for the articles they were writing, regardless of where they were being published and it resulted in the byline that you saw in many posts, as well as the ability to easily follow that journalist and see when they shared new articles publicly.

To use that feature authors were needed to give permission for a publication or a website (and specifically the FB page of that site) in order to be cited as the author in Facebook’s byline feature.

As such, the authors were needed to login to their own Facebook profile and in Settings (for their own profile) required to click “Linked Publications” (Or just send them to this link: https://www.facebook.com/settings?tab=author_publisher )

There, they were needed to add/remove the publication’s (or site’s) Facebook page as a “linked publication.”

This feature was vulnerable to Indirect object reference (IDOR) which could have led attacker to add or remove the approved publications from Author Publisher settings.

To reproduce follow graphQL request:
Vulnerable parameter : author_id and publisher_id
Access Token: First party token (Android)

  1. Add publication in victim’s setting:
    author_id was victims profile id and publisher_id was any media/news page id.
Add publication
Add Publication Request
Add Publication Response
Add Publication Response

2. Remove publication from victim’s setting:

Remove Facebook Author Approved Publication request
Remove Facebook Author Publication Response
Remove Facebook Author Publication Response

Timeline:

27/05/2021: Report submitted.

27/05/2021: Triaged.

07/06/2021: Fixed (Add/Remove vulnerability patched but I was able to see previously approved publications of any page)

21/07/2021: Bounty -> $750 + $75 (Gold league Bonus) + $38 (Delay bonus)

28/09/2021: FB replied : The product team decided to remove the add and remove functionality for this feature and cleanup for this feature is still going on, since add/remove functionality is not available now and you are only able to see the previously added settings.

07/12/2021: Feature completely removed and the clean of this issue is completed.