Majd Dhainy

Published On: 03 Oct 2019

Reply to any question sticker disregarding privacy

Privacy/Authentication
Facebook | Android
---
LOW VALID

Reply to friend/non-friend question stickers no matter what the privacy is .

Description

Reply to friend/non-friend question stickers no matter what the privacy by changing the numeric "story_card_question_id" parameter in reply to question sticker in stories section. in: POST /graphql HTTP/1.1 Content-Type: application/x-www-form-urlencoded X-FB-Friendly-Name: QuestionStickerAnswerMutation Host: graph.facebook.com

Impact

1) Attacker can reply to any question disregarding privacy by bruteforcing the id . 2) victim/s will think that the attacker has seen his story before replying to it so he will be afraid to upload stories again even if he sets the privacy up .




Reproduction Steps

Step
1

To "Reproduce" The Issue You Need 3 Facebook Accounts :
A,B & C
A & B Are Friends
B & C Are Friends
A & C Are Not Friends !
C is the Attacker....

Step
2

"A" Uploads A Story ( With ask me a question sticker) and sets its privacy to only friends.

Step
3

"B" View The Story Of "A" And Send A Question (Ex: How you doing?)

Step
4

 "B" will Capture The Request via burp And Save The "story_card_question_id" then Forward the Request .

Step
5

 "B" uploads a story ( With Ask Me A Question)

Step
6

 "C" View The Story Of "B" And Send "B" a reply (Ex: are you okay?)

Step
7

 "C" Capture The Request And Change The "story_card_question_id" To The "story_card_question_id" of "A"

Step
8

"C" Sends The Request .

Step
9

The Response will show : Error while executing operation \"QuestionStickerAnswerMutation\ .

Step
10

 But If "A" Checks The Answers On His Story he will detect that there is a reply From A Non-friend User "C" !!!!


Videos

Timeline
.
Majd 03 Sep 2019

Initial Report

.
Facebook 10 Sep 2019

Report Triaged

.
Facebook 03 Oct 2019

Fixed By Facebook

.
Majd 03 Oct 2019

Fix Confirmed

.
Facebook 03 Oct 2019

Bounty awarded

VALID