Vivek PS

Published On: 04 Jun 2020

$1,000

Ability to know the presence of a person in a private event even if the guest list is hidden.

Privacy/Authentication
Facebook | Web
---
LOW VALID

A private event has an option to hide the guest list from the other guests to ensure the privacy. But an attacker was able to find the presence of another person in the event just by posting victim's profile URL in the event.

Description

.After pasting the URL of victim and then inspecting the page source, the attacker was able find 'weakReference' class name near the victim's name in the HTML source. This means the victim is not a guest in the event.

Impact

This bug allow attacker to infer whether a person was on the guest list of a private event.




Reproduction Steps

Step
1

Scenario : private event

guests : A (attacker), B (victim)

A and B are invited to the private event.

Step
2

User A couldn't find the guest list as the event setting is not to show the guest list.

Step
3

User A who wants to know if B is present in the event list naviagates to the B's facebook profile. A copies the URL and create a new post in the event by pasting the URL. A notices the reference of the B's profile is greyed out in the post just submitted.

Step
4

A inspects the HTML source and finds a class named 'weakReference' along with the name of the user B denoting the B is not a guest in the event.

Timeline
.
Vivek 15 Mar 2020

Initial report

.
Facebook 17 Mar 2020

Couldn't reproduce

.
Vivek 08 Apr 2020

Additional information was sent

.
Facebook 11 May 2020

Triaged

.
Facebook 29 May 2020

Fixed

.
Vivek 30 May 2020

Fix confirmed

.
Facebook 04 Jun 2020

Bounty awarded

VALID






Show All Images