Published On: 11 Jun 2019
Bypass Admin approval, Mute Member and Posting Permissions for Only admins in Facebook groups
IDOR
Facebook | Web
---
LOW VALIDI was checking my old notes in my machine and I saw the below note: * To check " Watch Party Option" So what is Watch Party Option: It’s a new feature in Facebook groups that allows Group admins even normal members to pick any public video on Facebook and show it to other members at the same time, for more details see this link https://globaldatinginsights.com/2018/05/02/facebook-watch-party-allows-groups-watch-videos-simultaneously
Description
There was an IDOR bug in the "graphql" endpoint when you create or post a "Watch party" in Facebook group, there was no check on the parameter called "group_id"
Impact
This bug allow attacker to Bypass below settings: 1- Posting Admin approval. 2- Mute Member. 3- Posting Permissions that set for Only admins.
Reproduction Steps
Step
1
From victim perspective:
Go to the group seetings that you own and check on
- Post Approval: All group posts must be approved by an admin or a moderator.
- Posting Permissions: Only admin.
Step
2
From victim perspective:
Go to your group memeber option and select on the "Attacker" name and mute him.
so the attacker will not be able to post anything in your group.
Step
3
From Attacker perspective:
Go to your group that you own ===> create watch party ===> Intercept the request
the request will be like below:
POST /api/graphql/ HTTP/1.1
variables={“input”:{“client_mutation_id”:”2",”actor_id”:”userID”,”composer_session_id”:”SESSIONID”,”creator_actor_id”:”actorID”,”custom_name”:null,”group_id”:”AttackerGroupID",”video_ids”:[“VIDEO-ID”]}}&doc_id=doc-id
Step
4
From Attacker perspective:
Change the value of group_id”:”AttackerGroupID to Victim group ID and forward the request, the response will be like below:
{
“data”: {
“group_living_room_create”: {
“client_mutation_id”: “2”,
“living_room”: {
“__typename”: “LivingRoomSession”,
“id”: “199255894011111"
}
}
}
}
where “id”: “199255894011111" is your LivingRoomSession
Step
5
From Attacker perspective:
Go to https://www.facebook.com/groups/[victim-group-id]/wp/[ LivingRoomSession id]
and you will be able to watch this video and invite all group members to see it, which mean you bypassed all group settings that set by the group Admin.
Takeways:
1- Try to make a Document note for your target and check it from time to time 2- If you found a bug, don’t stop try to dig deeper maybe you get more than one impact 3- Always ask yourself what if !! when you search for bugs 4- If I can do it, You can do it too, trust me :)
Videos