Skip to main content

Facebook WhiteHat: Able to access group plan details even after leaving the group.

Facebook WhiteHat: Able to access group plan even after leaving the group.

Product/URL

https://www.facebook.com/messages/t/[group_messagesID]

Description and Impact

Facebook messages has an option to create group, where a user can add multiple friends to chat, plan share pictures together.

Whenever a user is not a part of the group, he is not allowed to see the updated information of the group.

However one can still access the group plan even when not in a group.

Peter, is it?

Reproduction Instructions/Proof of Concept

We have two test accounts, (test A) and (test B)

1. Test A Creates a new Group, Test Group, add members.(test B, test C )
2. Test A creates a plan in group, with date, venue and plan name.
3. There is some argument between Test A and Test B, and Test B leaves the group.
4. Test A and Test C decides to change the plan venue as Test B was already aware of the all plan details.
5. Test A changes the plan venue and date, however Test B can see the plan updated information.

Ideally if one is not a part of the group he should not be able to see the updated changes in the plan.

Impact:

One who is not be a member of the group chat can see the updated details of the plan thus violating privacy feature of Facebook.

Timeline:

Reported on 03.02.2018

Bounty:




Thanks Facebook Security for the quick resolution and an awesome program:
./Family Guy

Comments

Popular posts from this blog

Google Adwords(Privilege Escalation): Read-only user able to add YouTube channels via Linked accounts

STEWIE NOT DOG, HUNT SOME BUGS MY BOY!!!! Google AdWords , is Google's advertising system in which advertisers bid on certain keywords in their searchable ads. Since advertisers have to pay for these clicks, Google makes money from search. ISSUE : A user with read only access to the adwords account was able to link Youtube channels to the adwords account. Reported: 5th April   Steps to reproduce: 1. Go to https://adwords.google.com create a test adwords account. From settings, Account access add another userA with Read-only access (Here's the access right is allocated as read only users) Now 3. Go to user A mail account and accept the invitation to join the adwords account. 4. from user A adwords account go to settings then Linked accounts and then youtube, with below description:   YouTube channels Link a YouTube channel to your AdWords account to gain greater insights about your customers. 5. Add a youtube channel and...

Missing Authorization check while deleting App Review for Marketing API: Facebook Whitehat

Missing Authorization check while deleting App Review for Marketing API Peter, was enjoying the weekend, and he heard Lois screaming. Hey, Peter, when are we getting new Television: Well, huh!!! Alright… Let's find something Honey :p  Facebook has an option for App Review for Marketing API: This privilege is only given to app admin: App Review can only be submitted by app admins. Please contact an admin on the app to submit this app for review. Impact: A developer can change the app submission settings which can only be done by an admin and can also play with current submission settings. here's the official documentation: Facebook developer's documentation The authorization check for the developer is missing on backend for the add/delete requests. Peter being a developer was able to delete the added submissions(despite of having them disabled on front end) Steps to replicate: 1. create a test app, 2. add admin A and developer B 3. from developer B’...