Facebook WhiteHat: Able to access group plan even after leaving the group.
Description and Impact
Facebook messages has an option to create group, where a user can add multiple friends to chat, plan share pictures together.
Whenever a user is not a part of the group, he is not allowed to see the updated information of the group.
However one can still access the group plan even when not in a group.
Peter, is it?
Reproduction Instructions/Proof of Concept
We have two test accounts, (test A) and (test B)
1. Test A Creates a new Group, Test Group, add members.(test B, test C )
2. Test A creates a plan in group, with date, venue and plan name.
3. There is some argument between Test A and Test B, and Test B leaves the group.
4. Test A and Test C decides to change the plan venue as Test B was already aware of the all plan details.
5. Test A changes the plan venue and date, however Test B can see the plan updated information.
Ideally if one is not a part of the group he should not be able to see the updated changes in the plan.
One who is not be a member of the group chat can see the updated details of the plan thus violating privacy feature of Facebook.
Reported on 03.02.2018
Thanks Facebook Security for the quick resolution and an awesome program: