[Page Analyst] Inviting group member to join watch party on behalf page

It is possible for page analyst to invite another group-linked-page member to watch party on behalf the page itself.

Steps :

1. As page analyst create a watch party in group and you will redirect to https://www.facebook.com/groups/<Group ID>/wp/<Watch Party>

2. Once you redirect, change the url to https://www.facebook.com/groups/<Group ID>/wp/<Watch Party>/?av=<Page ID>

3. Now go to invite menu and invite any group member and they will receive the notification from the page.

Here is the video, please skip to 0:55 for the proof of concept.


Facebook Team fix the endpoint but the root cause of this issue is from the graphql.

Here is another POC (Using FB Android Acc Token) :




Impact :

This would allow a group-linked Page Analyst to be able to invite Group members to join the watch party as the Page instead of their normal user

Timeline :

22 Aug 2018    : Report to Facebook
25 Aug 2018    : Triaged
6 Sept 2018      : First steps is fix
23 Sept 2018    : Send another information 
04 Oct 2018     : Bounty Awarded $500   
10 Jan 2019      : All Fixed by Facebook Team


Comments

Post a Comment

Popular posts from this blog

[XSLeaks] Tracking User with Page Admin/Editor/Moderator roles on Third Party Website

Image
I was reading this blog  about XSLeaks issue in facebook which using window.length to return a number of frames inside the document and use it to extract data from facebook user who visit the Third Party website. So, i start to find the same issue in facebook and i found the same thing in  https://web.facebook.com/[page_username]/inbox . You can check if the endpoint has the same issue by typing frames.length in the browser console, in my case it return 3 and This endpoint is only accessible by user which has admin/editor/moderator role. So, if user with no role or had different role besides admin, editor and moderator, it will display a 404 page and the 404 page has 0 frames.length. The reason why the frames.length return a value of 3 is because my page mailbox is not empty and will return 1 if the mailbox is empty (and your a page admin). Using this lovely behaviour i can track if the page admin A is visiting my website. So here is the javascript : <script> page = "Your Pa
Read more

Disclose the Facebook Learning Unit Group Insight

Image
There is an IDOR issue in a feature called learning unit which lead to disclose the Group Insight. If the targeted group privacy is public, then attacker can disclose the group insight without become a member and for closed/secret group privacy, attacker need to become a member. Steps : 1. Request POST /groups/learning/edit_units_dialog/submit/ ..... group_id=Attacker_Group&description=&unit_ids[0]=Victim_Unit_ID Response : for (;;);{"__ar":1,"payload":null,"jsmods":{"require":[["ServerRedirect","reloadPage",[],[]]]},... Victim unit should appear in attacker group. 2. Attacker go to his group > group insight and request a download to download the group insight data (.csv format) and wait until notification from facebook that his data is ready to be download. 3. From the browser, open a new tab and go to https://www.facebook.com/groups/Attacker_group_ID/completions_export/ 4. The .csv file includi
Read more

Cara Mengatasi "Disk Write Error" di DotA 2.

Image
Agan pernah ketika update dota 2 lewat steam terus jadinya kayak gambar di bawah ini : English Version Sedih pastinya ye bro ? padahal udah bela-belain kehujanan beli kuota, udah semangat 46 mau main dota 2 ehh tau-taunya pas mau di update dota 2nya ga mau sama muka agan *oops* :'v. Disini ane mau sharing pengetahuan yang ane
Read more