Introduction
While reviewing my old notes on my computer, I came across the following entry:
- To check “Watch Party Option”
So, what exactly is the Watch Party Option?
The Watch Party Option is an innovative feature within Facebook groups that empowers not only Group admins but also regular members to select any public video on Facebook and present it simultaneously to other group members. This feature enhances the communal viewing experience by allowing members to collectively watch and engage with the chosen video. For more detailed insights into how this feature works, refer to the following link: https://globaldatinginsights.com/2018/05/02/facebook-watch-party-allows-groups-watch-videos-simultaneously
The finding
During the testing of the Watch Party functionality in Facebook groups, an Insecure Direct Object Reference (IDOR) vulnerability was identified within the “graphql” endpoint. This bug allows attackers to bypass:
- Posting admin approval.
- Muting a member.
- Posting permissions restricted to admins.
Reproduction Steps
Step 1 – Victim Perspective:
- Navigate to the group settings you own.
- Verify the settings:
- Post Approval: All group posts must be approved by an admin or a moderator.
- Posting Permissions: Only admin.
Step 2 – Victim Perspective:
- Access the group member options and mute the “Attacker” to prevent any posts in the group.
Step 3 – Attacker Perspective:
- Go to your group.
- Create a watch party and intercept the request. The request structure is as follows:
POST /api/graphql/ HTTP/1.1
variables={“input”:{“client_mutation_id”:”2",”actor_id”:”userID”,”composer_session_id”:”SESSIONID”,”creator_actor_id”:”actorID”,”custom_name”:null,”group_id”:”AttackerGroupID",”video_ids”:[“VIDEO-ID”]}}&doc_id=doc-id
Step 4 – Attacker Perspective:
- Change the value of “group_id”: “AttackerGroupID” to the victim group ID and forward the request. The response will be similar to:
{
"data": {
"group_living_room_create": {
"client_mutation_id": "2",
"living_room": {
"__typename": "LivingRoomSession",
"id": "199255894011111"
}
}
}
}
where “id”: “199255894011111” is the LivingRoomSession ID.
Step 5 – Attacker Perspective:
- Visit https://www.facebook.com/groups/[victim-group-id]/wp/[LivingRoomSession id].
- Watch the video and invite all group members, effectively bypassing all group settings established by the group admin.
Timeline
Sarmad | 03 Jun 2018
- Initial Report
Meta Bug Bounty | 14 Jun 2018
- Report Triaged
Meta Bug Bounty | 27 Jun 2018
- Fixed the first two impacts
Meta Bug Bounty | 17 Jul 2018
- Complete Fix
Sarmad | 18 Jul 2018
- Fix Confirmed
Meta Bug Bounty | 18 Jul 2018
- Bounty Awarded