Published On: 28 Dec 2022
Disclose the followers/following list of any Facebook profile with privacy set to [Only Me]
Privacy/Authentication
Facebook | Android
---
LOW VALIDIn Facebook, there is an option where people are able to follow other people profile. Also, if a person added another person as a "Friend" and the other one did respond to the friend request; The person who sent the "Add friend" request will start following the other person by default.
Description
The list of following and followers are visible in the profile of any user. The privacy of these two lists can be changed to "Only Me" where the list will be hidden and only the owner of the profile can see his own list of following and followers.
Impact
Due a misconfigured Graphql query; We are able to fetch these two lists and retreive the list of following/followers with privacy set to "Only Me".
Reproduction Steps
Step
1
UserA - Victim
UserB - Victim
UserC – Attacker
From UserA navigate to the "Friends" tab on your profile and click the three dots button on the top right to edit the privacy.
Step
2
Change the privacy of followers/following to "Only Me".
Step
3
Repeat the first two steps using the UserB account to set the privacy of the following/followers list to "Only Me".
Now, we have two victims with their following/followers list with privacy set to "Only Me".
Step
4
From UserA account follow UserB.
To follow:
- You can add UserB from UserA account as friend but without accepting the request; Then UserA will start following UserB
- Or you can visit UserB profile and on the right of the screen there is "three dots button" where you can find the "Follow" option.
Step
5
After UserA followed UserB; Perform the below POST graphql request using **UserC** first app access token:
Add the ID of UserB to --> profile_id param inside the request
{
"variables": {
"profile_id": "UserB_ID",
"should_fetch_followers": true
},
"client_doc_id": "30871348494835084060081021490"
}
Step
6
The response will contain the name of UserA where it shouldn't since UserA and UserB have set their list privacy to "Only Me".
UserC can confirm that UserA is following UserB by disclosing the followers list of UserB; Also, this mean that in the following list of UserA we will find UserB.