Facebook Partial payment Card leak Using Graph API
A bug was available in the Facebook graph API that allows querying for any user’s payment card details using a field called payment_modules_options . During the registration and login flow, I have found this field through all the requests made by the Android app.
USER_ID is the id of victim’s Facebook account, and TOKEN is the attacker’s access_token from a first-party Facebook application, like their Android app. The query doesn’t work without a valid payment_type, but specifying an invalid one, payment_type(asd) returned the list of all possible payment types. This is a textbook example of an insecure direct object reference bug (IDOR).
As you can see, the returned data included:
1.first 6 card digits (BIN), identifies the bank that issued the card
2.last 4 digits
3.expiry month and year
5.cardholder first name
6.zip code and country