In FB group there is an option for document edit with collaboration and group member can delete document while collaboration enabled or author of current edit(if member edited previously),
Generally when group admin change edit to disable collaboration then automatically he become author of document but while in collaboration if attacker change the “only_author_may_edit” parameters value to true which saving doc and later admin disabled edit then author not get updated and result is that attacker able to delete doc.
Here we can see two scenarios
1: first is if another user not modify only_author_may_edit param value and edit document that time delete option won’t comes up after admin disable edit
2. But if another user modify only_author_may_edit value to true and edit document then delete option comes up after admin disable edit.
[setup]
User UserOne
User UserTwo
GroupOne with {members:[UserOne,UserTwo]}
Steps to reproduce:
- UserOne create document in GroupOne (Allow group members to edit this document is enabled by default)
- UserTwo edit document and while saving capture request in any proxy like burp
- In captured request edit only_author_may_edit value to true and forward request.
- Now as UserOne untick “Allow group members to edit this document”., save the document, this will disable collaboration and UserOne become author of document.
- Switch to UserTwo account and check document again, we can see delete option still appears to UserTwo and UserTwo able to delete document.
Response from Facebook:
” Thanks for your reply. While group edit is enabled by default, in this scenario the admin must edit the doc to disable this option (as opposed to disabling the option when creating the document). Of course this flow is possible, but the number of prerequisites for this issue to be exploited prevent the issue from meeting the bar for reward in the bug bounty program. “
Status:
Fixed & Closed as informative.