Saturday, August 20, 2016

IDOR in Facebook - Reveal any secret group

Hi. I have found a vulnerability in Facebook in which I was able to reveal a secret group even though a user is not a member of that particular group. The vulnerability can be exploited via Facebook Mobile version (m.facebook.com). 

This was the vulnerable URL: 
https://mbasic.facebook.com/composer/mbasic/?c_src=share&referrer=permalink&target=[secret group id]. 

Replace the value of the ID in "target" parameter to the value of your target secret group. You must have two test accounts to be able to reproduce the bug. Though this bug is limited since you cannot post in that group, Facebook still resolved it.

This bug has been already fixed by Facebook Security Team and rewarded me with a $1500 bounty.


 I was then again listed in the Whitehat List of Facebook (It's my 2nd time being listed)