This writeup is about a vulnerability exposing user’s private watched videos list, saved videos, shared videos, etc. from the ‘WATCH TOGETHER’ feature in a locked phone.

A month back, I read an article from a researcher about the messenger calls exposing the user’s private friends’ list from a locked phone. So, I retested it the same day to check again if some other information were leaking out without unlocking a phone or not. That day I got none, Facebook fixed the bug by adding an extra security layer, simply afterthat; no one was able to access the feature without unlocking the phone.

Now, recently Facebook launched the ‘Watch Together’ feature in Messenger. So, I made some look over there as well as tested the section using Burp after I got to use the feature. I found nothing intriguing that day.

But then, the next day; I just remembered that valid bug from the researcher. Thus, I did some tests. Interestingly, I found a similar type of vulnerability in the Watch Together section, where any person with physical access could access the User’s Private Watched Videos List, Saved Videos List as well as the video shared in the chat thread without unlocking the phone. I quickly reported it to Facebook with a short POC video. Facebook fixed it after some weeks. Now, you have to unlock the phone to use the watch together feature.

Reproduction Steps
==
1. User A’s smartphone is in a locked state.
2. User B calls User A.
3. Intruder picks up the call.
4. Intruder goes to the ‘Watch Together’ option.
5. Intruder sees User A’s entire private lists of Watched videos, Saved videos, videos shared in the chat thread, etc. without unlocking the phone.

…

Impact
===
This vulnerability could let anyone with physcial access to victim’s device view/access the user’s private saved videos, user’s entire watched videos, and also the videos shared in the chat thread without unlocking the phone. This would have affected the privacy/security of the user heavily.

…

Timeline (The Simplest I have ever had)

Reported — Saturday, 17 October 2020

Pre-Triaged — Thursday, 22 October 2020

Triaged — Thursday, 22 October 2020

Fixed — Monday, 9 November 2020

Fixed confirmed — Thursday, 12 November 2020

Bounty Rewarded — Thursday, 12 November 2020

Thank you for reading this writeup about a simple vulnerability. If you have any suggestions/queries, I’m available on Facebook/ Instagram.

Try reading every bug writeups from other researches too :)