Disclose the Facebook Learning Unit Group Insight

There is an IDOR issue in a feature called learning unit which lead to disclose the Group Insight. If the targeted group privacy is public, then attacker can disclose the group insight without become a member and for closed/secret group privacy, attacker need to become a member.

Steps :

1. Request

POST /groups/learning/edit_units_dialog/submit/
.....
group_id=Attacker_Group&description=&unit_ids[0]=Victim_Unit_ID

Response :

for (;;);{"__ar":1,"payload":null,"jsmods":{"require":[["ServerRedirect","reloadPage",[],[]]]},...

Victim unit should appear in attacker group.

2. Attacker go to his group > group insight and request a download to download the group insight data (.csv format) and wait until notification from facebook that his data is ready to be download.

3. From the browser, open a new tab and go to https://www.facebook.com/groups/Attacker_group_ID/completions_export/

4. The .csv file including victim unit details its being downloaded and attacker can see the victim unit details by opening the file.

 Impact :

Attacker can read the "Group Insight" data.

 Video :



Timeline :

18 Aug 2018 : Send Report to Facebook
23 Aug 2018 : Triaged
1 Sept 2018  : Fix Confirmed
1 Sept 2018  : Bounty $1500





Comments

  1. Rudra16September 3, 2020 at 8:25 PM

    Good one bro. Did you check workplace for this issue? or it was not vulnerable?

    ReplyDelete

Post a Comment

Popular posts from this blog

[XSLeaks] Tracking User with Page Admin/Editor/Moderator roles on Third Party Website

Image
I was reading this blog  about XSLeaks issue in facebook which using window.length to return a number of frames inside the document and use it to extract data from facebook user who visit the Third Party website. So, i start to find the same issue in facebook and i found the same thing in  https://web.facebook.com/[page_username]/inbox . You can check if the endpoint has the same issue by typing frames.length in the browser console, in my case it return 3 and This endpoint is only accessible by user which has admin/editor/moderator role. So, if user with no role or had different role besides admin, editor and moderator, it will display a 404 page and the 404 page has 0 frames.length. The reason why the frames.length return a value of 3 is because my page mailbox is not empty and will return 1 if the mailbox is empty (and your a page admin). Using this lovely behaviour i can track if the page admin A is visiting my website. So here is the javascript : <script> page = "Your Pa
Read more

Cara Membuat Kertas Penghantar Listrik Dengan Conductive Ink

Image
Cara Membuat Kertas Penghantar Listrik Dengan  Conductive Ink Kali ini ane bakalan nge-share cara membuat kertas penghantar listrik dengan  conductive ink  atau tinta konduktif.  "Kertas penghantar listrik ? pasti mahal yah ngebuatnya ?"  ga mahal kok gan bahkan barang-barangnya bisa agan dapat di dekat rumah agan atau mungkin ada di depan agan sendiri.  "Wah masa sih ?"  daripada kebanyakan nanya :v, nih tutorial pembuatan tinta konduktif. Siapkan Alat & Bahan Bahan : 1. Tinta hitam atau Cat hitam (cat air yang biasa dipake kalo menggambar) 2. Lem cair (Bukan Ehabond yah JANGAN!) 3. Arang (Ane saranin arang dari sisa pembakaran kayu, kalo dari tempurung ato yang lain ane belum pernah coba) Alat : 1. Blender 2. Suntik penyedot Gimana ? gak susah kan nyari bahan-bahannya ? dalam tutorial ini arang merupakan komponen utama, karena arang mengandung carbon yang membuat benda hitam imut ini menjadi konduktor yang bagus. Tapi tidak semua arang adalah konduktor
Read more