[Page Analyst] Inviting group member to join watch party on behalf page

It is possible for page analyst to invite another group-linked-page member to watch party on behalf the page itself.

Steps :

1. As page analyst create a watch party in group and you will redirect to https://www.facebook.com/groups/<Group ID>/wp/<Watch Party>

2. Once you redirect, change the url to https://www.facebook.com/groups/<Group ID>/wp/<Watch Party>/?av=<Page ID>

3. Now go to invite menu and invite any group member and they will receive the notification from the page.

Here is the video, please skip to 0:55 for the proof of concept.


Facebook Team fix the endpoint but the root cause of this issue is from the graphql.

Here is another POC (Using FB Android Acc Token) :




Impact :

This would allow a group-linked Page Analyst to be able to invite Group members to join the watch party as the Page instead of their normal user

Timeline :

22 Aug 2018    : Report to Facebook
25 Aug 2018    : Triaged
6 Sept 2018      : First steps is fix
23 Sept 2018    : Send another information 
04 Oct 2018     : Bounty Awarded $500   
10 Jan 2019      : All Fixed by Facebook Team


Comments

Post a Comment

Popular posts from this blog

Cara Membuat Kertas Penghantar Listrik Dengan Conductive Ink

Image
Cara Membuat Kertas Penghantar Listrik Dengan  Conductive Ink Kali ini ane bakalan nge-share cara membuat kertas penghantar listrik dengan  conductive ink  atau tinta konduktif.  "Kertas penghantar listrik ? pasti mahal yah ngebuatnya ?"  ga mahal kok gan bahkan barang-barangnya bisa agan dapat di dekat rumah agan atau mungkin ada di depan agan sendiri.  "Wah masa sih ?"  daripada kebanyakan nanya :v, nih tutorial pembuatan tinta konduktif. Siapkan Alat & Bahan Bahan : 1. Tinta hitam atau Cat hitam (cat air yang biasa dipake kalo menggambar) 2. Lem cair (Bukan Ehabond yah JANGAN!) 3. Arang (Ane saranin arang dari sisa pembakaran kayu, kalo dari tempurung ato yang lain ane belum pernah coba) Alat : 1. Blender 2. Suntik penyedot Gimana ? gak susah kan nyari bahan-bahannya ? dalam tutorial ini arang merupakan komponen utama, karena arang mengandung carbon yang membuat benda hitam imut ini menjadi konduktor yang bagus. Tapi tidak semua arang ada...
Read more

Disclose the Facebook Learning Unit Group Insight

Image
There is an IDOR issue in a feature called learning unit which lead to disclose the Group Insight. If the targeted group privacy is public, then attacker can disclose the group insight without become a member and for closed/secret group privacy, attacker need to become a member. Steps : 1. Request POST /groups/learning/edit_units_dialog/submit/ ..... group_id=Attacker_Group&description=&unit_ids[0]=Victim_Unit_ID Response : for (;;);{"__ar":1,"payload":null,"jsmods":{"require":[["ServerRedirect","reloadPage",[],[]]]},... Victim unit should appear in attacker group. 2. Attacker go to his group > group insight and request a download to download the group insight data (.csv format) and wait until notification from facebook that his data is ready to be download. 3. From the browser, open a new tab and go to https://www.facebook.com/groups/Attacker_group_ID/completions_export/ 4. The .csv file includi...
Read more

Cara Mengatasi "Disk Write Error" di DotA 2.

Image
Agan pernah ketika update dota 2 lewat steam terus jadinya kayak gambar di bawah ini : English Version Sedih pastinya ye bro ? padahal udah bela-belain kehujanan beli kuota, udah semangat 46 mau main dota 2 ehh tau-taunya pas mau di update dota 2nya ga mau sama muka agan *oops* :'v. Disini ane mau sharing pengetahuan yang ane
Read more