Disclosing the members of private Facebook Group as a non-member.

December 15 | 2 Minutes Read

Description

It was possible to know if someone was a member of a private group or not via the group profile view endpoint in Facebook lite.

Steps of Reproduction

1. From User A account in Fblite (while I am the member of the group) I open the group.
   
2. From User A account in my PC (I leave the group).
   
3. Now when I click on members profile (I cannot see the group posts but I can see the membership dates).
   
4. Now I see the membership date of User B and User C after leaving the group.
   
5. From User B account in my PC I leave the group.
   
6. Now we will notice that membership date for User B disappeared as User B was no longer the member of the group but membership date for User C was still there.
   
7. Now to further confirm the vulnerability from User C account in my PC I left the group.
   
8. Now we will notice that the membership date also disappeared for User C, confirming the vulnerability.
   
   

Timeline

Reported:

Sunday, November 8, 2020 at 1:15 AM

Triaged:

Sunday, November 8, 2020 at 4:46 PM

Fixed:

Tuesday, November 10, 2020 at 10:10 PM

Bounty Awarded ($4500)

Tuesday, December 15, 2020 at 5:58 AM