Facebook Group Members Disclosure.

Hello bug bounty family, In this article I will be sharing about two of my bugs on Facebook. $4500 each, a total of $9000.

Bug 1st:

Description: A Non-member can determine if someone is the member of a private group or not via CometHovercardQueryRendererQuery graphQL mutation. Doc_ID: 4997502340291357. By changing the actorID with the victim’s actorID and groupID with the group we want to test and in the response if it shows “WeakEntityReference” than he/she is not the member of the group. However, if it shows “StrongEntityReference” than he/she is the member of the group.

Steps:
1. From a non-member’s account send this request by replacing the actorID variable to that of the victim and groupID variable to that of the group which you want to test against.

2. If you get “StrongEntityReference” in response. He/She is the member of the group. However, If you get “WeekEntityReference” in the response he she is not the member of the group. Using this technique you can find out if someone is a member of the private group or not.

Bounty: $4500

Video: https://drive.google.com/file/d/1XAitPW8Evnoh11N8yQqkAxKkyX3zpFSK/view?usp=sharing

Bug 2nd: (using phone)

Description: It was possible to disclose the members of a private group via the endpoint in FbLite which is responsible to show group member posts.

Steps:
1. From User A account in Fblite (while I am the member of the group) I open the group.
2. From User A account in my PC (I leave the group)
3. Now when I click on members profile (I cannot see the group posts but I can see the membership dates)
4. Now I see the membership date of User B and User C after leaving the group.
5. From User B account in my PC I leave the group.
6. Now we will notice that membership date for User B disappeared as User B was no longer the member of the group but membership date for User C was still there.
7. Now to further confirm the vulnerability from User C account in my PC I left the group.
8. Now we will notice that the membership date also disappeared for User C, confirming the vulnerability.

Bounty: $4500

Video: https://drive.google.com/file/d/16Po19jSemG-SBwTMwfftQrFaZQ8zyXeN/view?usp=drivesdk

Thanks for making it to the end of this article. If you have any questions regarding anything, feel free to message me on Twitter: https://twitter.com/spongebhav

Baibhav@Medium:~$ whoami — A security noob here to share about some of his findings.