Meta Bug Bounty: Add Items As Non Contributor Page in Personal Save Collection Feature

In Facebook there is a feature called saved collection. In personal saved collection, owner of the collection can add contributors. As per stated in the help center , “Everyone in the collection’s audience can view items, comment on items and see the collection’s name. Only Contributors, when using the Contributors only privacy settings, can add items.”

https://www.facebook.com/help/833282696681783

At the time of reporting, while testing this feature on web, I noticed that Facebook is treating the NPE page and personal profile as the same object in the collection. This means attacker can switch to his page and add items on the collection.

When you switch to any of your page, you will noticed in the UI that the victim’s collection is not listed. However, in the backend this is not validated.

By substituting the content_collection_id with the victim’s collection ID, the item will be incorporated into the collection as an NPE page, even if that page isn’t listed among the contributors.

Furthermore, the attacker can conceal their identity by employing country restrictions, leaving the victim unaware of who added the item to the collection.

Proof of Concept: https://www.youtube.com/watch?v=Q7NVLPrxACs&ab_channel=SydneyRicafort

If you have question, you can reach me on Facebook | Twitter