Baibhav Anand Jha


$~# whoami
Baibhav Anand Jha
I do bug-bounties
I develop
I learn
I hack
He/Him

 

      

Disclosing the members of private Facebook Group as a non-member.

December 15 | 2 Minutes Read



Description

It was possible to know if someone was a member of a private group or not via the group profile view endpoint in Facebook lite.

Steps of Reproduction

  1. From User A account in Fblite (while I am the member of the group) I open the group.
  2. From User A account in my PC (I leave the group).
  3. Now when I click on members profile (I cannot see the group posts but I can see the membership dates).
  4. Now I see the membership date of User B and User C after leaving the group.
  5. From User B account in my PC I leave the group.
  6. Now we will notice that membership date for User B disappeared as User B was no longer the member of the group but membership date for User C was still there.
  7. Now to further confirm the vulnerability from User C account in my PC I left the group.
  8. Now we will notice that the membership date also disappeared for User C, confirming the vulnerability.

Timeline

Reported:
Sunday, November 8, 2020 at 1:15 AM
Triaged:
Sunday, November 8, 2020 at 4:46 PM
Fixed:
Tuesday, November 10, 2020 at 10:10 PM
Bounty Awarded ($4500)
Tuesday, December 15, 2020 at 5:58 AM