Skip to main content

Facebook WhiteHat: Able to access group plan details even after leaving the group.

Facebook WhiteHat: Able to access group plan even after leaving the group.

Product/URL

https://www.facebook.com/messages/t/[group_messagesID]

Description and Impact

Facebook messages has an option to create group, where a user can add multiple friends to chat, plan share pictures together.

Whenever a user is not a part of the group, he is not allowed to see the updated information of the group.

However one can still access the group plan even when not in a group.

Peter, is it?

Reproduction Instructions/Proof of Concept

We have two test accounts, (test A) and (test B)

1. Test A Creates a new Group, Test Group, add members.(test B, test C )
2. Test A creates a plan in group, with date, venue and plan name.
3. There is some argument between Test A and Test B, and Test B leaves the group.
4. Test A and Test C decides to change the plan venue as Test B was already aware of the all plan details.
5. Test A changes the plan venue and date, however Test B can see the plan updated information.

Ideally if one is not a part of the group he should not be able to see the updated changes in the plan.

Impact:

One who is not be a member of the group chat can see the updated details of the plan thus violating privacy feature of Facebook.

Timeline:

Reported on 03.02.2018

Bounty:




Thanks Facebook Security for the quick resolution and an awesome program:
./Family Guy

Comments

Popular posts from this blog

Google Adwords(Privilege Escalation): Read-only user able to add YouTube channels via Linked accounts

STEWIE NOT DOG, HUNT SOME BUGS MY BOY!!!! Google AdWords , is Google's advertising system in which advertisers bid on certain keywords in their searchable ads. Since advertisers have to pay for these clicks, Google makes money from search. ISSUE : A user with read only access to the adwords account was able to link Youtube channels to the adwords account. Reported: 5th April   Steps to reproduce: 1. Go to https://adwords.google.com create a test adwords account. From settings, Account access add another userA with Read-only access (Here's the access right is allocated as read only users) Now 3. Go to user A mail account and accept the invitation to join the adwords account. 4. from user A adwords account go to settings then Linked accounts and then youtube, with below description:   YouTube channels Link a YouTube channel to your AdWords account to gain greater insights about your customers. 5. Add a youtube channel and...

Hijacking Friend Requests Facebook: White Hat ./FamilyGuy

Facebook BugBounty: Intercept incoming friend requests of Victim add/accept to your facebook account: Product/URL:   Facebook android app on facebook Description and Impact The issue: Missing authorisation check while accessing friend request API on android app,  an attacker can add friend requests of any facebook user into his own account. in simple words Peter says: Wait, what, no, no, Peter is a nice fellow. Peter: Ok, but still  Its like I can intercept and accept friend requests from someone which was send to some other user via Facebook send friend request to contacts option. Let's report!! Sceanrio: X sends friends request by contacts option to Y. And I can get the request which was send to Y and become friend with X. Reproduction Instructions/Proof of Concept: 1. install latest android app.  2. Create new account.  3. Enter a random mobile number[victim's]. 4. Enter a good name. 5. Enter gender. 6. You ...

Missing Authorization check while deleting App Review for Marketing API: Facebook Whitehat

Missing Authorization check while deleting App Review for Marketing API Peter, was enjoying the weekend, and he heard Lois screaming. Hey, Peter, when are we getting new Television: Well, huh!!! Alright… Let's find something Honey :p  Facebook has an option for App Review for Marketing API: This privilege is only given to app admin: App Review can only be submitted by app admins. Please contact an admin on the app to submit this app for review. Impact: A developer can change the app submission settings which can only be done by an admin and can also play with current submission settings. here's the official documentation: Facebook developer's documentation The authorization check for the developer is missing on backend for the add/delete requests. Peter being a developer was able to delete the added submissions(despite of having them disabled on front end) Steps to replicate: 1. create a test app, 2. add admin A and developer B 3. from developer B’...