Introduction
Facebook recently added a new group type option called “Social Learning”. Groups classified in this way gain access to the new “Units feature”, which allows you to leverage the group as a platform for online course content or to simply organize your posts by topic. for more details see https://www.facebook.com/help/184985882229224
The finding
During the testing of this feature, an Insecure Direct Object Reference (IDOR) vulnerability was identified in the ‘POST’ request when adding a group post to a new unit, specifically within the ‘post_id’ parameter. Facebook failed to validate the value of ‘post_id,’ allowing an attacker to include any post from a different group into their unit within their owned group. This vulnerability allowed the attacker to:
- Distort ‘Text Post only,’ rendering the post as ‘Attachment not available.’
- Add a title to their unit above posts from other users, making it both distort the original content and undeletable. To achieve this, the attacker needed to invite the owner of the post to their group (attacker group).
Reproduction Steps
Step 1 – Attacker Perspective:
- Navigate to the group owned by the attacker ==> Edit group settings ==> Group type => select Social learning.
Step 2 – Attacker Perspective:
- Make any post in the attacker-owned group ==> Click on 3 dots ==> Add to new Unit ==> Fill the requirements ==> Intercept with Burpsuite ==> Create Unit.
Step 3 – Attacker Perspective:
- Observe the post request:
POST /groups/learning/create_with_post/?group_id=[Attacker_Group_ID]&post_id=[Attacker_Post_ID]&dpr=1 HTTP/1.1
jazoest=[number]&fb_dtsg=[anti_csrft]&unit name=bla&unit description=bla&post title=bla
Step 4 – Attacker Perspective:
- Go to any group where the attacker is a member.
- Choose between:
- If distorting a post is desired, find posts with “Text only.”
- If adding a title to the unit on the post and making it undeletable is the goal, invite the owner of that post to the attacker’s group (only invite).
- Obtain the post ID and replace it in “Step 3,” then forward the request.
Step 5 – Victim Perspective (Admin of the Group and Owner of the Post):
- Once the attacker performs the attack, the owner of the post will be unable to delete their post.
- The group admin will also be unable to delete the attacked post, regardless of their administrative privileges.
Coincidence
Upon reporting the bug to the Facebook Security Team, I recollected encountering information about an undeletable post issue on Facebook. Subsequent Google searches led me to a YouTube video featuring the same bug but from a different endpoint. The realization left me shocked and prompted thoughts that if the bug was disclosed on YouTube, it might have been fixed. To verify, I decided to find the original researcher, Richard Telleng, and contact him.
After locating his Facebook account, I reached out to Richard and informed him that the bug was still active. To my surprise, he assured me that the bug had been fixed, and Facebook had already rewarded him with a bounty for his discovery. I promptly shared the entire story with the Facebook Security Team.
I extend my sincere thanks to Richard Telleng, the researcher who discovered the bug before me, for his honesty and politeness. You’re truly a great guy, and I appreciate your immense support. Thank you so much, my bro.
Timeline
Sarmad | 18 Jun 2018
- Initial Report
Meta Bug Bounty | 20 Jun 2018
- Report Triaged
Meta Bug Bounty | 31 Jul 2018
- Bug Fixed
Sarmad | 31 Jul 2018
- Fixed Confirmed
Meta Bug Bounty | 02 Aug 2018
- Bounty Awarded