This is how I can Turn Off Your Post Notification

Description/Impact: In m.facebook user can turn on post notification on a post. By turning it on user will be notified if someone reacted, shared, or commented on the post. However, the bug that I found is that attacker might be able to turn off the post notification setting of the user by just changing the story_id to victim’s story_id. It does not check if the story_id is coming from the owner.

Reproduction steps:
1. Attacker finds a post and click “Turn on notification status for this post”

Attacker post

2. While clicking, fire up your burpsuite and capture the request /a/post/subscribe then send it to repeater
3. Get the post id of the victim’s post (you can get it directly on the URL “story_fb_id=”)
4. Back to the buprsuite change the ft_ent_identifier to victim’s post id then send the request

5. You will notice that after sending the request it will not give you an error like “You don’t have permission” and the notification status of the victim’s post was successfully changed.

Victim Post Notification Setting
Victim’s Post Notification after issuing the request

Facebook pre-triaged my report but after further investigation closed it as informative 😢. They considered it as a UI issue.

Thanks for reading my writeup. If you have any question you can reach me on twitter @devsyd11.

--

--

--

/* Security Researcher && Programmer */

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How Secure Communications Can Keep Your Data and Devices Safe

Definsure’s Ecosystem

6 Cyber Security ideas to Avoid Exposing Your Data

Data Residency: Meaning, Laws, & Requirements

Swash — The Perfect Passive Crypto Companion for Brave

ThreatOp$ = Humans * Automation;

Sweet dreams are made of standards — The evolution of NFT?

Cracking a Password Via a Side Channel

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syd Ricafort

Syd Ricafort

/* Security Researcher && Programmer */

More from Medium

How I approached Dependency Confusion!

P5 to P1: Intresting Account Takeover

How I Get ZeroDay Attack UFU leads to RCE on one of the Vendors.

Cross site scripting | xss explain(PORTSWIGGER solve)