A security researcher discovered a broken access control (BAC) vulnerability in Facebook Groups where moderators could change the 'Who can participate in the group' setting — an admin-only action. By intercepting a GraphQL mutation (useGroupEditPageJoinPermissionMutation) while acting as an admin in their own group, then replaying the request with a different group_id where they were only a moderator, the server returned 200 OK and applied the change. The root cause was missing backend authorization checks, with the system relying solely on UI-level restrictions. The vulnerability was reported in December 2025, fixed by March 2026, and a bounty with bonus was awarded.
Table of contents
Storytelling Write-upImpactReproduction StepsGet Abu Idris Al-Muhaqqiq’s stories in your inboxRoot CauseTimelineSort: