Facebook Vulnerability that Allowed Hacker to change Privacy Settings

Our Research and Development Head Sachin Thakuri and  Application Security Head Prakash Sharma have been participating in bug bounty program in their free time.  The  year 2015 was a partial success for them on bug bounty programs, Prakash finished on 8th position and Sachin finished 30th position at Facebook’s Whitehat leader board.  Most of their bugs reported on  Facebook were on Graph API, if you are new to Facebook’s Graph API, you can read about it on their developers  platform;

Let us discuss the security issue that has been discovered by Prakash on Facebook Graph API. This issue is related to privacy settings of posts which are posted on Facebook, which could be manipulated through Graph API. This issue can be used by an attacker to modify Privacy Settings of Facebook post through Graph API

According to developer docs[1],

Setting Privacy When Publishing

Most endpoints that let you post (e.g. posts, photos, notes) also allow you to include aprivacy parameter that lets you control who can see the content.

The parameter determines the privacy settings of the post. If it is not supplied, it defaults to the privacy level granted to the app in the Login Dialog. This field cannot be used to set a more open privacy setting than the one granted during login.

If you read it carefully, it says,

"This field cannot be used to set a more open privacy setting than the one granted during login."

Which means, an app should not be able to modify more open (Private To Public, Private to Friends Only, Friends Only to Public)privacy settings for posts beyond what it had been previously approved for while going through App approval and authentication process as shown;


This was partially working as expected and when an app tried to publish a post (or links or whatever else that can be posted on Facebook) with more open privacy settings, it would post it with default privacy settings which were originally granted to the app during app approval process. However, Facebook failed to strict the privacy settings implementation when the previously posted post was edited through Graph API, which allowed an app to modify the privacy settings of posts previously published. Thus, an app  granted  with ‘Only me’ privacy level could modify previous posts with ‘Public’ privacy settings, and those modified posts wouldn’t appear as “Edited” as it usually appears when a post is modified.

Here are the API requests:
To publish a post –

POST /me/feed?message=My+message HTTP/1.1
Host: graph.facebook.com

This will return post_id, and clicking on it show the post published. Let’s assume the post_id is 987654321_123456789

To update privacy level-

POST /987654321_123456789?privacy={VALUE:’EVERYONE’} HTTP/1.1
Host: graph.facebook.com

This will return true which indicates that the post has been updated, making it visible to everyone. So using this issue, an attacker can change privacy settings of posts previously published without any prior notification.

This issue has been reported and  already fixed by Facebook Security Team.

If you need Application Security Testing Service, please contact us.

Leave a Reply

Your email address will not be published. Required fields are marked *