Page Admin Disclosure when clicking join button in Page inbox of mobile version
Description:
Every facebook group has feature “Share this group” with option like how to share (share on your timeline, page, share in private message.
So using this feature in group while interacting as page if page share this group in private message then group link sent in page admins profile which is intended.
if interacting as page sent share group link using this feature to any page then that link goes to victims page’s inbox.
Now in web platform that shared link displayed as normal, but if we look page inbox in mobile version then we can see that there is “+” plus sign to join group.
Once victim page received link in page inbox sent by group admin and victim page opens inbox in mobile version and click on + plus sign then, group join request sent as page admin without his knowledge., because link received in page inbox.
Setup
===
Users: UserOne, PageOne {Owner: UserOne}
victimUser, victimPage {Owner:victimUser}
Environment: group GroupOne with owner PageOne, UserOne
Platform: Facebook mobile apps, sites
Steps
===
1. From any web browser goto www.facebook.com , login as UserOne and In GroupOne switch interacting as pageOne
2. From top Header action click on Share button then popup will appear to select how to share group, then select “Share in private message”.
3. then in search box search for the victimPage and click on send button
4. Link will be sent as UserOne to victimPage
5. Now goto facebook for android/ios/mobile site and login as victimUser and goto to page(victimPage) that he manage
6. Then goto page inbox, group link received from UserOne and there in plus(+) button in preview of link.
7. click on plus button
8. Switch back to UserOne account you can see notification received as victimUser asked to join group.
Proof of concept:
Timeline:
20/04/20: Submitted
24/04/20: FB asked more info and relationship of attacker with page/admin.
24/04/20: Submitted new POC with no relationship of attacker with page/admin.
21/05/20: Triaged
25/06/20: Fixed & Rewarded $3000
Submitted same way using poll feature but it has same root cause