Block Appointments Requests for Any Facebook Page
Unauthenticated POST to GraphQL could block appointment requests management for any Facebook Page.
Ramzy Bouyahya
Disclosing Private Group Members via Facebook Rooms
In September 2020, a vulnerability was discovered in Facebook's Rooms feature inside Groups that allowed attackers to disclose members of private groups through unauthenticated GraphQL requests.
Takeover any wit.ai account
The vulnerability permits an unauthenticated actor to takeover any wit.ai account. The only prerequisite observed is knowledge of the target wit.ai identifier; no additional credentials are required.
View Draft, Archived and Inactive Effects for Any Facebook or Instagram User
Preview parameter allowed unauthorized viewing of draft, archived, and inactive Spark AR effects for any user.
View Reports Ad Account for Any Business (Export via Report ID)
Using report ID access, an attacker could export Ads Manager reports for arbitrary businesses.
Business Partner Can Escalate Role on Block Lists
Partner businesses with limited 'apply block list' role could escalate to manage/delete block lists via an insecure add/connections endpoint.
Delete Groups AR Studio Effect
Users without page roles could delete AR Studio Effect groups, removing other users and disrupting creators workflows.
Bypass Pixel Role (Partner Business)
Partner businesses with analyst role could escalate to pixel editor via the sharing_agreement endpoint.
Disclose Page Admins via Facebook Appointments
This vulnerability permits the leakage of the page owner's identifier.
View Pending Email of Any Oculus User via GraphQL
A GraphQL endpoint exposed pending (unconfirmed) email addresses for Oculus users by ID, leaking PII.