Hey, welcome to this write-up!
What I’ve found is only from Allah’s will, actually I’m nothing.
- There’s “TL;DR” section for those who only need the main point of this write-up.
- I really apologize if my write-up is bad.
- By the way, this is my first write-up.
- You can join public facebook group using your facebook page. But, you can’t do it with unpublish page.
- When you click join group button, there’s profile selector to choose your page/profile.
- Intercept the request when you choose one of it.
- There’s “actor_id” parameter with selected facebook page/profile ID as value.
- Change the value to your unpublish page ID.
- Also, i can post a limited status with that unpublish page by changing “actor_id” value in “Create Post” feature.
Groups are a place to communicate about shared interests with certain people. You can create a group for anything — your family reunion, your after-work sports team or your book club.
To join group, you can use your primary Facebook profile or your Facebook page as long as the group admin allow it.
If the group admin allow page to join, you’ll notice selector like this when clicking “Join Group” button, so you can choose how to join group:
But only published page that able to join group.
Actually, can i see unpublish page?
The answer is, no. If you try to directly access the unpublish page with their URL, you’ll get this message:
III. The Findings
When I testing around group features back then, I just found out that I can join the group with my page, without thinking too much, I immediately mess with it.
And then I noticed a weird situation, I only saw a few of the many created pages I have. Apparently, the page that didn’t appear was the page that still unpublished or I don’t have enough permissions (I’m not the page admin, etc).
So i tried to intercept the request when i choose one of my page/profile, and request like this appear:
I change “actor_id” value to my unpublish page, then send the request.
Immediately I check my dummy account (group admin), it’s success, the unpublish page appear in group “Member Request” page (it’s because I enabled pre-approved feature)
Also, I able to approve it.
As far as I can remember, I couldn’t post anything using that page, because I couldn’t choose the profile (maybe because it’s unpublish), so I try to find way how to exploit this. Actually, the successful of joined page is enough, but i tried to increase the impact.
I decided to test “Create Post” feature.
By intercepting request after clicking “Post” button, request like this appear:
As you can see, there’s also “actor_id” parameter, then I change the value with the previous unpublish page ID, and send the request.
But I can’t post “Attachment” things like image, file, watchparty, etc. Except for GIF, I don’t know why.
I tried to do the same things on “Like” and “Comment” feature (by changing the “actor_id” value), but I only able to comment on my post.
September 16, 2020 — Report sent
September 19, 2020 — Triaged by Facebook team
September 29, 2020 — Facebook team need more info
September 29, 2020 — I Sent more info
October 15, 2020 — Vulnerability patched
October 16, 2020 — Bounty rewarded
VI. Lesson Learned
When you are faced with a selector that you can select some things (in this case, profile), always try to do IDOR. Also, try to increase the impact of what you’ve found until you get stuck.
Alhamdulillah, finally this write-up ends here.
Hit me up if you have any inquiries: https://twitter.com/Geva_7