Baibhav Anand Jha


$~# whoami
Baibhav Anand Jha
I do bug-bounties
I develop
I learn
I hack
He/Him

 

      

De-anonymize the members of a private Facebook Group as a non-member.

March 15 | 2 Minutes Read



Description:

A Non-member can determine if someone is the member of a private group or not via CometHovercardQueryRendererQuery graphQL mutation. Doc_ID: 4997502340291357. By changing the actorID with the victim’s actorID and groupID with the group we want to test and in the response if it shows WeakEntityReference than he/she is not the member of the group. However, if it shows StrongEntityReference than he/she is the member of the group.



Steps Of Reproduction:

  1. From a non-member’s account send this request by replacing the actorID variable to that of the victim and groupID variable to that of the group which you want to test against.
  2. If you get "StrongEntityReference" in response. He/She is the member of the group. However, If you get "WeekEntityReference” in the response he she is not the member of the group. Using this technique you can find out if someone is a member of the private group or not.



Timeline

Report Submitted:
Saturday, January 30, 2021 at 11:42 PM
Triaged:
Monday, February 1, 2021 at 8:18 PM
Fixed:
Tuesday, February 2, 2021 at 5:39 PM
Bounty Awarded ($4500):
Tuesday, February 16, 2021 at 10:28 PM