This is how I can Turn Off Your Post Notification
Description/Impact: In m.facebook user can turn on post notification on a post. By turning it on user will be notified if someone reacted, shared, or commented on the post. However, the bug that I found is that attacker might be able to turn off the post notification setting of the user by just changing the story_id to victim’s story_id. It does not check if the story_id is coming from the owner.
1. Attacker finds a post and click “Turn on notification status for this post”
2. While clicking, fire up your burpsuite and capture the request /a/post/subscribe then send it to repeater
3. Get the post id of the victim’s post (you can get it directly on the URL “story_fb_id=”)
4. Back to the buprsuite change the ft_ent_identifier to victim’s post id then send the request
5. You will notice that after sending the request it will not give you an error like “You don’t have permission” and the notification status of the victim’s post was successfully changed.
Facebook pre-triaged my report but after further investigation closed it as informative 😢. They considered it as a UI issue.
Thanks for reading my writeup. If you have any question you can reach me on twitter @devsyd11.