Disclosing the members of private Facebook Group as a non-member.
December 15 | 2 Minutes Read
It was possible to know if someone was a member of a private group or not via the group profile view endpoint in Facebook lite.
Steps of Reproduction
- From User A account in Fblite (while I am the member of the group) I open the group.
- From User A account in my PC (I leave the group).
- Now when I click on members profile (I cannot see the group posts but I can see the membership dates).
- Now I see the membership date of User B and User C after leaving the group.
- From User B account in my PC I leave the group.
- Now we will notice that membership date for User B disappeared as User B was no longer the member of the group but membership date for User C was still there.
- Now to further confirm the vulnerability from User C account in my PC I left the group.
- Now we will notice that the membership date also disappeared for User C, confirming the vulnerability.
- Sunday, November 8, 2020 at 1:15 AM
- Sunday, November 8, 2020 at 4:46 PM
- Tuesday, November 10, 2020 at 10:10 PM
- Bounty Awarded ($4500)
- Tuesday, December 15, 2020 at 5:58 AM