Sudhanshu shaw

Published On: 19 Jul 2020

Co-host able to remove host from Facebook event

Privacy/Authentication
Facebook | Web
---
MEDIUM VALID

Setup === Facebook as page- 2 - Page A and Page B Facebook Web Burp Suite

Description

According to Facebook guidelines a host can never be removed from an event. Also the host cannot leave the event even by his/her will.

Impact

A scenario was created because of which original host could have been removed from event making co-host as new host.




Reproduction Steps

Step
1

Page A creates an event and makes Page B as co-host.

 

Step
2

Page B accepts the request and clicks on edit event. Now intercepting the traffic in Burp Page B clicks on save.

Step
3

In Burp intercepted traffic search for co-host id. Enter Page A id in it and forward the request. 

Step
4

Page A receives a co-host request for the same event it was hosting.

Now if Page A rejects the request then Page A is removed from the events makin Page B as new host.

And if Page A accepts the request then Page A will become co-host and Page B will become host.

Timeline
.
Sudhanshu 02 Apr 2020

Report Sent

.
Facebook 06 Apr 2020

Pre-Triage

.
Sudhanshu 18 Apr 2020

Message to ask why delay in Triage status

.
Facebook 18 Apr 2020

Stewie responded We can't seem to repro this issue. Basically when the attacker adds victim (host) to the cohost, the victim doesn't receive any invitation no mat ... See More

.
Sudhanshu 18 Apr 2020

Not able to Reproduce I asked Stewie to check if this was a duplicate issue. Or ask Product team if this was a direct patch or indirect patch.

.
Facebook 18 Apr 2020

Stewie responded saying there was a confusion with Product Team We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Facebook 08 May 2020

Bounty Awarded

VALID






Show All Images