Chaining Two Vulnerabilities to Break Facebook Appointment Times For the Second Time

Along with https://medium.com/bugbountywriteup/breaking-appointments-and-job-interview-schedules-with-malformed-times-edef103e46ba during my searching I found a second vulnerability to break the newly added appointment tab in Facebook pages. The first vulnerability allowed for the start time and end time of Facebook appointments to be the set to the same value making no available times for job interviews or services to be booked. Normally this wouldn’t be too impactful as an admin could just change the times back to normal but that’s where the second vulnerability comes into play. Providing a malformed time in the same graphql POST call to the max_advanced_notice parameter would then cause an integer overflow when trying to load the time schedule rendering it unchangeable and therefor locking in the previous vulnerability from being changed

Proof of Concept

1) Browse to your pages appointment settings

2) Hit change on the available appointment times

3) Intercept the POST request sent to /api/graphqlbatch/ to change the times

4) Edit the end_times and start_times parameters so they match (eg. end_times”:[540,540,540,540,540],”start_times”:[540,540,540,540,540])

5) Edit the max_advanced_notice parameter to a malformed/larger time (eg. 15552000000)

6) The appointment time settings should now be broken

Video

Timeline

Submitted- October 12th, 2018

Triaged- October 16th, 2018

Bounty Awarded($500)- December 14th, 2018