2

Access to CrowdTangle Deletion Framework API

 2 years ago
source link: https://philippeharewood.com/access-to-crowdtangle-deletion-framework-api/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Access to CrowdTangle Deletion Framework API

There is a root GraphQL query that gives one access to numerous CrowdTangle API calls including one that lists the deleted objects for popular Facebook entities by date.

Regular users shouldn’t have access to CrowdTangle this way. The data was of the form

{"__typename":"CrowdTangleDeletionResult","id":"111111","parent_id":"22222","system":"fb"}

From my understanding, this was a result that contained a Facebook post. The parent_id supposedly points to the CrowdTangle/Facebook account owner/board. I downloaded ~40,000 results for the period of August 4th, 5th, 7th and 8th. This was a large enough sample size to convince myself that the parent_id was in some cases with a high level of confidence one of the following:

1. A recently deleted page (I cross checked with a simple Google search and Google cache)
2. A page with a high following that recently deleted posts in bulk

According to Facebook, this wasn’t enough to pass the bar for a bounty.

Please note that here the original impact described in this issue, being able to know the ids and parent_id of deleted object was falling below the bar for a monetary reward, but we will reward this report because we discovered security hardening opportunity that we implemented.

Timeline

Aug 7, 2021 – Report sent
Aug 17, 2021 – Fixed by Facebook


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK