Rony K Roy

Published On: 21 Dec 2019

$2,000

Disclosing privately shared gaming clips of any user

IDOR
Facebook | Web
---
LOW VALID
Description

While watching live gaming videos it's possible for a user to create a clip from the last 60 seconds and they can share it as a post. Post privacy can be 'only me, friends, or public' but irrespective of the post privacy all posts can be disclosed by a malicious user.

Impact

This could have let to the leak of gaming clips a user shared, even when they shared the clip to a limited audience like "Friends" or "Only Me."




Reproduction Steps

Step
1

Setup

 

  • User A
  • User B

User A and User B aren't facebook friends

 

 

Step
2

Login as User A, Browse www.facebook.com/gaming

Step
3

Play any live gaming video, Enlarge the video

Now create a clip of 60 seconds

Step
4

Add post description

Change post privacy to only me/friends

Click post

Step
5

Login as User B, browse User A's timeline (Post Isn't visible)

Step
6

 Browse www.facebook.com/gaming
 Clips > Your Clips >Shared clips >Select Oldest and intercept the request.

Step
7

Change User ID in Variables parameter to User ID of User A

Forward the request

Timeline
.
Rony 18 Aug 2019

Submitted

.
Facebook 21 Aug 2019

Reproduced Nice find! We've managed to reproduce your report and will get back to you once we have had a chance to investigate :)

.
Facebook 21 Aug 2019

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 06 Sep 2019

Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Facebook 13 Sep 2019

Bounty Awarded After reviewing this issue, we have decided to award you a bounty of $2000. Below is an explanation of the bounty amount. Facebook fulfills its b ... See More

VALID