Initially I identified and reported a low-severity information disclosure affecting profile violation. As Facebook's security team was delayed in their initial triage due to New year holiday, I continued search and discovered an escalation

Identifying additional attack vectors: User profiles: use dedicated flow for mange user violation Facebook Pages & Groups: Share the same flow testing it for Facebook profiles nothing seem to be vulnerable started testing it on private Facebook groups

1-Created a private test group

2-Posted multiple posts containing content that could trigger Facebook's automated systems

Within minutes, received notifications confirming removal for Community Standards violations

None

let's see the disagree option:

  • Selected the "Disagree" option to appeal the content removal decision
None
  • After a few minutes of submitting the appeal, my private group post went live again for being falsely takedown

The appeal endpoint (https://www.facebook.com/entity_quality/profile_appeal_decision_details_dialog/?objectID=<post_id>)

seem interesting for IDOR

I opened the URL with another account not part of the private group and the response

None

the private group post is fully disclosed with the CDN content

removed violated content is also disclosed.

Timeline: January 15 : Reported

January 16 : Triaged

June 4 : Fixed

June 5 : bounty awarded