How could I have accessed other users' Meta AI prompts and generated content – Technical Analysis

Meta AI is a public-facing AI assistant and image generation platform by Meta (formerly Facebook). The platform enables users to interact with an LLM-powered assistant and generate AI art based on text prompts. The AI-generated media (e.g., images) and associated prompts are stored and tied to user sessions for future edits, reimaginations, or sharing.

The platform relies heavily on GraphQL APIs to facilitate client-server communication for media creation, modification, and interaction.

During bug bounty research on the Meta AI dashboard, I identified a critical flaw in the GraphQL mutation useAbraImagineReimagineMutation. The API fails to verify the ownership of the media_set_id parameter against the authenticated user session.

This missing authorization check allows an attacker to modify the media_set_id field in the request to arbitrarily access any other user’s AI-generated media along with the original prompt and the model-generated description. The bug permits unauthorized access to highly sensitive creative content.

Step by step guide

Users Involved:

• User A: Victim (their prompt & AI output is leaked)
• User B: Attacker
  

1. A new conversation was started on https://meta.ai, and the AI model was asked to generate an image.
2. Once the image was generated, the Edit button was clicked.
3. In the edit prompt chatbox, a random input (such as "-") was entered and submitted.
4. The request sent to the server was intercepted using Burp Suite.
5. Within the vulnerable GraphQL request, a parameter named media_set_id was located.
6. This ID was replaced with a different user’s media_set_id, which could be discovered through shared URLs or guessed due to its predictable format.
7. The modified request was then forwarded to the server. As a result, the server returned the original prompt and the AI-generated output associated with the other user’s content.

Vulnerable Endpoint

POST /api/graphql/ HTTP/2
Host: www.meta.ai

...
fb_api_req_friendly_name=useAbraImagineReimagineMutation
...
{
  "input": {
    "client_mutation_id": "20",
    "actor_id": "490802730791771",
    "external_conversation_id": "28c26ba7-fc63-4b0a-88a4-4ed68be04ee8",
    "image_id": null,
    "instruction": "change car colour to red",
    "media_set_id": "476707502200577",  ← REPLACE THIS WITH VICTIM’S media_set_id
    "media_type": "FLASH_IMAGE",
    "message_id": "mid.$gAB-7oD-PxPWaMyOd9mUAd44UalyV"
  }
}

Technical Root Cause

The vulnerable api failed to validate ownership of media_set_id. This allowed any authenticated user to pass another user’s media_set_id (e.g., a shared media or guessed ID) and retrieve the original AI prompt and generated content, without any authorization or permission checks.

Impact

This vulnerability could be exploited to:

• Access private AI conversations or artwork created by other users.
• Leak sensitive prompts (e.g. personal scenarios, NSFW content).

Fix & Meta’s Response

Meta’s security team responded promptly and handled the report professionally. Here’s their official statement:

“After reviewing this issue, we have decided to award you a bounty of $10,000. Below is an explanation of the bounty amount. Meta fulfills its bounty awards through Bugcrowd.

You demonstrated an issue where a malicious actor could access users' prompts and AI-generated media via a certain GraphQL query, potentially allowing an attacker to access users’ private media. We mitigated this and found no evidence of abuse.”

Timeline

Reported: December 26, 2024
Temporary Fix Deployed: January 24, 2025
Full Fix Confirmed: April 24, 2025
Total Bounty Awarded: $10000 USD

Conclusion

This vulnerability exposed a critical access control flaw in the Meta AI platform, allowing unauthorized access to other users' prompts and AI-generated content via a missing ownership check on the media_set_id parameter. The issue could have led to serious privacy violations and unauthorized data harvesting. Meta has since remediated the vulnerability by implementing proper authorization checks, ensuring that media assets are only accessible to their rightful owners. We commend the Meta security team for their prompt response and resolution.

If you are interested in conducting similar research or collaborating on security testing, feel free to reach out to us via our Contact Page.

For press or PR-related queries, please email: pr@appsecure.security