Facebook Source Code disclosure in ads API

Facebook Ads Manager allows users to create and publish ads to Facebook. When users upload their images using User Interface, Facebook uploads those Ad Images through Graph API in the owner’s ad_account.

Endpoint weaknesses was uploading a corrupted image or invalid BASE64 string then the application does not properly handle exception errors that occur during processing image resize. PHP script error revealing some internal path, functions of the program. The endpoint handling errors/exceptions were poorly which should generally not be accessible internal stack traces to users.

Proof of concept

Sending a POST request to adimages edge from the following paths:

Request:

POST /v2.10/act_{ad_account_id}/adimages HTTP/1.1
Host: graph.facebook.com

Bytes=BASE_64:VGhpcyBpcyBtYWxpY2lvdXMgYmFzZTY0IHN0cmluZw==

Response:

{
  "error": {
    "message": "Invalid parameter", 
    "type": "FacebookApiException", 
    "code": 100, 
    "error_data": "exception 'Exception' with message 'gxx_ixx_rxxx_muxxx_thrift call to sxxxXxxXx failed with fxxxx exception: 43 in /var\/www\/flib\/rxx\/xxx\/xxx.php:1692\nStack trace:\n#0 \/var\/www\/flib\xxx.... //--sanitized--//

Impact

This could have leaked some internal stack traces and exceptions.

Timeline

• 25 Nov, 2017 – Report Sent.
• 29 Nov, 2017 – Triaged.
• 1 Dec, 2017 – Fixed.
• 6 Dec, 2017 – Bounty Awarded by Facebook.