Published On: 07 Feb 2020
Bypassing reviews tags on "friends of friends" public videos
Privacy/Authentication
Facebook | Other
---
LOW VALIDDescription
Facebook has an option that allow users to enable review tags before it appears on their post, the official describe of this option https://www.facebook.com/settings?tab=timeline§ion=tagreview&view ( If someone who you aren't friends with adds a tag to your post, you'll still be asked to review it.) .
Impact
Bypass tag restrictions on videos that could have allowed a malicious user to get around tag review settings on videos.
Reproduction Steps
Step
1
Consider 2 users, James is the victim and Kassem is the attacker
Step
2
1. The victim James enabled the review tags by entering to the settings -> Timeline& tagging ->Review->Review tags that people add to your posts before the tags appear on Facebook ->Enabled
https://www.facebook.com/settings?tab=timeline§ion=tagreview&view
Step
3
James upload a public video on his profile .
Step
4
The attacker Kassem Bazzoun isn't a friend with James he will tag himself or anyone of his friend on James Video without asked James for a review .
Step
5
Kassem made a POST request in the Graph API using a FIRST PARTY TOKEN
Kassem used the android mobile token .
Endpoint : james_video_id/tags
Parameter : tag_uid : kassem_id
https://developers.facebook.com/tools/explorer/?method=POST&path=182042472940644%2Ftags&version=v5.0&tag_uid=574396703
Step
6
Succefully tagging without any review from James although James enabling the review option .