Join Any Facebook Group As Deactivated Additional Profile

Description: A deactivated profile or deleted profile cannot use Facebook but due to this bug it is possible to join and interact in any Facebook or Private Group.

Impact: This will allow the attacker to post on any Facebook group without the fear of blocking and knowing the true identity of the profile.

Steps to Reproduce:

(This bug will only work for additional profile feature) More info about Facebook Additional Profile here
1. Copy the ID of your deactivated additional profile
3. First join any group by using the graphql request . Change the av= parameter and _user= to your deactivated profile and group_id to your target group
2. To create a post. Using your main profile create a post then intercept the request
3. Change the actor_id to your deactivated profile and group_id to your target group
4. Forward the request and the post will be created using your deactivated profile

Video PoC:

Timeline:
09–19–2023 Report Sent
09–22–2023 Unable to reproduce. On the same day I have sent additional details
09–29–203 Report Triaged
10–05–2023 Report closed as Informative. Then I sent additional details and showed other ways to exploit this issue. Like adding contact point even the profile is deactivated
11–10–2023 Finally closed as informative

If you have question, you can reach me here https://twitter.com/devsyd11