Leaking internal CMS_OIDs gives access to internal Facebook support pages.

The Facebook help or support centre consists from 2 levels

1.Users Level //www.facebook.com/help/....

2.Employees level ///our.internmc.facebook.com///////internalfb.com

it was possible to access the 2nd level as non employee.

repro

1.As Facebook’s employee obtain any internal CMS_OID from internal file./intern/cms…

2. Test it via non employee (as normal Facebook user or as guest).

GET https://www.facebook.com/help/<internal_CMS_OID>

some examples of sensitive data found *but not limited to*

1.CMS Root filenames with details

2.The settings up & permissions manager of https://our.internmc.facebook.com /// https://internalfb.com

3.Videos&photos from employees exposing sensitive internal activities

4.Facebook’s employees names&IDS…. :)

Timeline

19/01/2023 12:39 PM: Report sent

19/01/2023 04:15 PM: Triaged by Meta

21/01/2023: Bounty awarded by Meta

31/01/2023: Fixed

13/02/2023: Resolved