Group expert's pending expertise request leaking on Facebook

Group experts can add expertise to their badge. The group experts need to send expertise requests to the group admin for approval. These requests are only visible to group admins in the "Badge requests" option. The admin has the authority to approve or reject the expertise requests submitted by group experts.

Anyone could be able to see pending expertise requests of any public group by changing the group ID on the following API request :

POST /api/graphql/ HTTP/2

Host: www.facebook.com

fb_api_req_friendly_name=GroupsCometExpertiseBadgeRequestsRootQuery&variables={"groupID":"SampleID","scale":1}&server_timestamps=true&doc_id=5418595031540088

When changing the group ID, the group experts' names and their pending expertise request details will be exposed in the response.

Steps : 

1) Go to Group admin's dashboard , clicks "Badge Requests" and intercept the request.

2)  Change the "groupID" parameter to the victim's group ID and send the request.

3) Pending expertise requests details of victim's group will be visible in the response.

Reported : 12-07-2022

Triaged : 18 -07- 2022




Comments

Popular posts from this blog

IDOR leads to removing members from any Google Chat Space.

Details about future collaboration profiles and pages have been revealed