Published On: 18 Jul 2020
DoS Facebook “private” Events on Web
DoS
Facebook | Web
---
LOW VALIDDescription
In Facebook Events, admin is able to invite a user to his “private” Event through user email address and anyone who is in the guest list (Already invited to the private event) will be able to invite any user by user’s facebook account. The invited person will have 3 options to respond to the invitation received (“Going”, “Maybe” or by “Can’t Go”).
Impact
A malicious user is able to DoS “private” Events wall where the admin/host of the event will no longer be able to access/moderate the event
Reproduction Steps
Step
1
Setup:
UserA: Victim - Admin
UserB: Victim
UserC: Attacker
Step
2
UserA will create a “private” Event.
Step
3
UserA wil invite UserC to the event through UserC’s email address.
Step
4
UserB will invite UserC through UserC’s facebook account.
Step
5
Step
6
UserC will respond to UserA invitiation by email address by “Can’t Go” option where UserC will be redirected to his facebook account where he will choose the option “Respond as [UserC’s facebook account name]” and perform his action.
Step
7
After UserC’s action the event wall of UserA (admin) and of UserB (Guest of the event who have invited UserC) will not be able to load anymore.