Leaking internal CMS_OIDs gives access to internal Facebook support pages.
The Facebook help or support centre consists from 2 levels
1.Users Level //www.facebook.com/help/....
2.Employees level ///our.internmc.facebook.com///////internalfb.com
it was possible to access the 2nd level as non employee.
repro
1.As Facebook’s employee obtain any internal CMS_OID from internal file./intern/cms…
2. Test it via non employee (as normal Facebook user or as guest).
GET https://www.facebook.com/help/<internal_CMS_OID>
some examples of sensitive data found *but not limited to*
1.CMS Root filenames with details
2.The settings up & permissions manager of https://our.internmc.facebook.com /// https://internalfb.com
3.Videos&photos from employees exposing sensitive internal activities
4.Facebook’s employees names&IDS…. :)
Timeline
19/01/2023 12:39 PM: Report sent
19/01/2023 04:15 PM: Triaged by Meta
21/01/2023: Bounty awarded by Meta
31/01/2023: Fixed
13/02/2023: Resolved