1. 559357440894888 is the targeted resource (group)
2. 100000152886101 is the targeted user who owns the resource, (Just a parameter value sent along with the first GET request to be included in the form action to successfully complete the request)
When this endpoint (/ajax/home/generic.php) calling an client side facebook path (path=) related to a facebook resource (pages, groups, etc..) this resource lacks the “X-Frame-Options” and became iframable. The fact is that all the actions inside the iframable response are depending on another resource that has not been loaded to complete the AJAXed requests to be made but LUCKILY we found that the iframable resource contains some “Forms” that are able to be submitted by the victim.
The PoC Impact:
Fooling a victim to add a specific user to a targeted secret group or even any other resource!!
PoC Code (In case you need it): <div style=”overflow: hidden; width: 145px; height: 28px; position: relative;” >
<iframe src=”URL” style=”border: 0pt none ; left: -7px; top: -807px; position: absolute; width: 1406px; height: 1321px;” scrolling=”no”></iframe></div></br>
Building a website? Or already built a one? Think twice before going public and let us protect your business!