Published On: 03 Oct 2019
Reply to any question sticker disregarding privacy
Privacy/Authentication
Facebook | Android
---
LOW VALIDReply to friend/non-friend question stickers no matter what the privacy is .
Description
Reply to friend/non-friend question stickers no matter what the privacy by changing the numeric "story_card_question_id" parameter in reply to question sticker in stories section. in: POST /graphql HTTP/1.1 Content-Type: application/x-www-form-urlencoded X-FB-Friendly-Name: QuestionStickerAnswerMutation Host: graph.facebook.com
Impact
1) Attacker can reply to any question disregarding privacy by bruteforcing the id . 2) victim/s will think that the attacker has seen his story before replying to it so he will be afraid to upload stories again even if he sets the privacy up .
Reproduction Steps
Step
1
To "Reproduce" The Issue You Need 3 Facebook Accounts :
A,B & C
A & B Are Friends
B & C Are Friends
A & C Are Not Friends !
C is the Attacker....
Step
2
"A" Uploads A Story ( With ask me a question sticker) and sets its privacy to only friends.
Step
3
"B" View The Story Of "A" And Send A Question (Ex: How you doing?)
Step
4
"B" will Capture The Request via burp And Save The "story_card_question_id" then Forward the Request .
Step
5
"B" uploads a story ( With Ask Me A Question)
Step
6
"C" View The Story Of "B" And Send "B" a reply (Ex: are you okay?)
Step
7
"C" Capture The Request And Change The "story_card_question_id" To The "story_card_question_id" of "A"
Step
8
"C" Sends The Request .
Step
9
The Response will show : Error while executing operation \"QuestionStickerAnswerMutation\ .
Step
10
But If "A" Checks The Answers On His Story he will detect that there is a reply From A Non-friend User "C" !!!!
Videos