Facebook WhiteHat: Able to access group plan even after leaving the group.
Product/URL:
https://www.facebook.com/messages/t/[group_messagesID]
Description and Impact
Facebook messages has an option to create group, where a user can add multiple friends to chat, plan share pictures together.
Whenever a user is not a part of the group, he is not allowed to see the updated information of the group.
However one can still access the group plan even when not in a group.
Peter, is it?
Reproduction Instructions/Proof of Concept
We have two test accounts, (test A) and (test B)
1. Test A Creates a new Group, Test Group, add members.(test B, test C )
2. Test A creates a plan in group, with date, venue and plan name.
3. There is some argument between Test A and Test B, and Test B leaves the group.
4. Test A and Test C decides to change the plan venue as Test B was already aware of the all plan details.
5. Test A changes the plan venue and date, however Test B can see the plan updated information.
Ideally if one is not a part of the group he should not be able to see the updated changes in the plan.
Impact:
One who is not be a member of the group chat can see the updated details of the plan thus violating privacy feature of Facebook.
Timeline:
Reported on 03.02.2018
Bounty:
Thanks Facebook Security for the quick resolution and an awesome program:
./Family Guy
Comments
Post a Comment