Skip to main content

Facebook WhiteHat: Able to access group plan details even after leaving the group.

Facebook WhiteHat: Able to access group plan even after leaving the group.

Product/URL

https://www.facebook.com/messages/t/[group_messagesID]

Description and Impact

Facebook messages has an option to create group, where a user can add multiple friends to chat, plan share pictures together.

Whenever a user is not a part of the group, he is not allowed to see the updated information of the group.

However one can still access the group plan even when not in a group.

Peter, is it?

Reproduction Instructions/Proof of Concept

We have two test accounts, (test A) and (test B)

1. Test A Creates a new Group, Test Group, add members.(test B, test C )
2. Test A creates a plan in group, with date, venue and plan name.
3. There is some argument between Test A and Test B, and Test B leaves the group.
4. Test A and Test C decides to change the plan venue as Test B was already aware of the all plan details.
5. Test A changes the plan venue and date, however Test B can see the plan updated information.

Ideally if one is not a part of the group he should not be able to see the updated changes in the plan.

Impact:

One who is not be a member of the group chat can see the updated details of the plan thus violating privacy feature of Facebook.

Timeline:

Reported on 03.02.2018

Bounty:




Thanks Facebook Security for the quick resolution and an awesome program:
./Family Guy

Labels:

Comments

Post a Comment

Popular posts from this blog

Google Adwords(Privilege Escalation): Read-only user able to add YouTube channels via Linked accounts

STEWIE NOT DOG, HUNT SOME BUGS MY BOY!!!!
Google AdWords , is Google's advertising system in which advertisers bid on certain keywords in their searchable ads. Since advertisers have to pay for these clicks, Google makes money from search.
ISSUE: A user with read only access to the adwords account was able to link Youtube channels to the adwords account. Reported: 5th April
Steps to reproduce: 1. Go to https://adwords.google.com create a test adwords account. From settings, Account access add another userA with Read-only access (Here's the access right is allocated as read only users) Now 3. Go to user A mail account and accept the invitation to join the adwords account. 4. from user A adwords account go to settings then Linked accounts and then youtube, with below description: YouTube channels Link a YouTube channel to your AdWords account to gain greater insights about your customers.
5. Add a youtube channel and accept the same via your youtube account. the channel is added to the adword…
Post a Comment
Read more

Missing Authorization check while deleting App Review for Marketing API: Facebook Whitehat

Missing Authorization check while deleting App Review for Marketing APIPeter, was enjoying the weekend, and he heard Lois screaming.
Hey, Peter, when are we getting new Television:
Well, huh!!! Alright…
Let's find something Honey :p 
Facebook has an option for App Review for Marketing API:
This privilege is only given to app admin:
App Review can only be submitted by app admins. Please contact an admin on the app to submit this app for review.
Impact:
A developer can change the app submission settings which can only be done by an admin and can also play with current submission settings.
here's the official documentation:
Facebook developer's documentation
The authorization check for the developer is missing on backend for the add/delete requests.
Peter being a developer was able to delete the added submissions(despite of having them disabled on front end)
Steps to replicate:1. create a test app,
2. add admin A and developer B
3. from developer B’s account go to
https://developers.facebook…
Post a Comment
Read more

Hijacking Friend Requests Facebook: White Hat ./FamilyGuy

Facebook BugBounty: Intercept incoming friend requests of Victim add/accept to your facebook account:Product/URL:Facebook android app on facebookDescription and Impact The issue:
Missing authorisation check while accessing friend request API on android app, an attacker can add friend requests of any facebook user into his own account. in simple words Peter says:
Wait, what, no, no, Peter is a nice fellow. Peter: Ok, but still  Its like I can intercept and accept friend requests from someone which was send to some other user via Facebook send friend request to contacts option.
Let's report!! Sceanrio: X sends friends request by contacts option to Y. And I can get the request which was send to Y and become friend with X.
Reproduction Instructions/Proof of Concept: 1. install latest android app.  2. Create new account.  3. Enter a random mobile number[victim's]. 4. Enter a good name. 5. Enter gender. 6. You can skip uploading photo as well as uploading contacts. 7. As soon as you land on fb home p…
1 comment
Read more