In September 2020, a vulnerability was discovered in Facebook's Rooms feature inside Groups that allowed attackers to disclose members of private groups through unauthenticated GraphQL requests.

Using report ID access, an attacker could export Ads Manager reports for arbitrary businesses.

Preview parameter allowed unauthorized viewing of draft, archived, and inactive Spark AR effects for any user.

Partner businesses with limited 'apply block list' role could escalate to manage/delete block lists via an insecure add/connections endpoint.

The vulnerability permits an unauthenticated actor to takeover any wit.ai account. The only prerequisite observed is knowledge of the target wit.ai identifier; no additional credentials are required.

Users without page roles could delete AR Studio Effect groups, removing other users and disrupting creators workflows.

Partner businesses with analyst role could escalate to pixel editor via the sharing_agreement endpoint.

The vulnerability permits an unauthenticated actor to takeover any wit.ai account. The only prerequisite observed is knowledge of the target wit.ai identifier; no additional credentials are required.

A GraphQL endpoint exposed pending (unconfirmed) email addresses for Oculus users by ID, leaking PII.