Published On: 04 Jun 2020
A private event has an option to hide the guest list from the other guests to ensure the privacy. But an attacker was able to find the presence of another person in the event just by posting victim's profile URL in the event.
.After pasting the URL of victim and then inspecting the page source, the attacker was able find 'weakReference' class name near the victim's name in the HTML source. This means the victim is not a guest in the event.
This bug allow attacker to infer whether a person was on the guest list of a private event.
Step
1
Scenario : private event
guests : A (attacker), B (victim)
A and B are invited to the private event.
Step
2
User A couldn't find the guest list as the event setting is not to show the guest list.
Step
3
User A who wants to know if B is present in the event list naviagates to the B's facebook profile. A copies the URL and create a new post in the event by pasting the URL. A notices the reference of the B's profile is greyed out in the post just submitted.
Step
4
A inspects the HTML source and finds a class named 'weakReference' along with the name of the user B denoting the B is not a guest in the event.