Hi All. So this bug is related to facebook albums in which a blocked album contributor have some missing functional level access control.
Who is album Contributor? When you add contributors to a shared album, they can add photos or videos, tag photos, edit the album and add other contributors. Contributors can only edit or delete the photos they upload. When a contributor is removed, they may be able to delete photos they added to the shared album from their activity log.
Description: From one of my invalid bugs which I reported earlier, I came to know that – If the album owner blocks the album contributor by going to his profile (and assuming that album owner forgot to remove the contributor from his album) then in this case, blocked album contributor should not be able to download the facebook album.
Steps to Reproduce:
1. Album owner: 100005027988637 [Kartik Singh] 2. Album Contributor: 100008608837076 [Contri] 3. Album: 878982152279376
1. Login as Kartik and create an album.
2. Kartik will add his friend Contri to the album as contributor.
3. Now Kartik will go to Contri’s profile and will block her.
4. Now login as Contri and try to access album by going to Contri’s photos and accessing the album.
5. Notice that Contri is able to see the album cover but when she is trying to open the album then getting error as “This page isn’t available”.
6. Now go to any other album that Contri owns and then click on “Download album”.
7. Intercept the generated request and change the ‘fbid’ parameter in the body of the request.
8. In ‘fbid’ parameter, provide the album id of the above mentioned album i.e, 878982152279376
9. Contri is successfully able to download the album irrespective of the privacy of the album.
20 Feb 2018: Report sent to facebook
28 Feb 2018: Escalation by facebook
11 Apr 2018: Bug fixed
9 May 2018: Bounty awarded
Bug hunter: Kinghackx