Page moderator can change timeline visibility - Facebook Bug

03 Apr 2016

Description:

It was possible for a page moderator with Facebook Messenger access_token to change timeline visibility of a post by issuing a request to the following graph endpoint after setting proper values.

https://graph.facebook.com/v2.2/<PAGE-ID>_<POST-ID>?access_token=<MESSENGER-ACCESS-TOKEN>&timeline_visibility=hidden&method=post

The GET parameter timeline_visibility can have any of these values: hidden, normal or starred.

According to Page Role specifications, it should not have happened.

Upon successful request, the timeline visibility of the particular post changed into whatever state was passed through the parameter.

 
Report sent : 27 July 2015

Facebook responded saying that it was a duplicate of an issue they were already tracking. Thanks for reading!

PageFault

Page moderator can change timeline visibility - Facebook Bug

Description:

Related Posts

Leaking access tokens from Microsoft apps chaining two vulnerabilities 12 Dec 2018

Unvalidated URL Redirect - Facebook Bug Bounty 12 Jan 2017

Leaking Facebook appsecret_proof - Private Bounty 12 Nov 2016