Details about future collaboration profiles and pages have been revealed

The page admin could be able to block the profiles and pages from inviting the page as a collaborator. The block list is only visible to the page admin.


An attacker can view the blocked collaboration profiles details of any page by changing the attacker's page ID with the victim's page ID.

When unblocking the blocked profiles or pages, the following request will be sent:

POST /api/graphql/ HTTP/2

Host: www.facebook.com

fb_api_req_friendly_name=CollaborationBlocklistBlockedPagesQuery&variables={"owner_id":"sampleID"}&server_timestamps=true&doc_id=5322093584488173

By changing the "owner_id" , attacker can be able to view blocked collaboration profiles of any page.

Steps to Reproduce : 

1) Go  to Page Settings>>Notifications>>Block future collaboration invites .

2) Add a random profile to the block list, and capture the request.

3) Change  the "owner_id" with victim's page ID and send the request.

4) The blocked profiles and pages of victim's page will be exposed in response.

Reported : 19-07-2022

Triaged : 22-07-2022

Fixed : 28-07-2022









Comments

Popular posts from this blog

IDOR leads to removing members from any Google Chat Space.

Group expert's pending expertise request leaking on Facebook