Chaining Two Vulnerabilities to Break Facebook Appointment Times For the Second Time

Max Pasqua
Dec 14, 2018 · 1 min read

Along with during my searching I found a second vulnerability to break the newly added appointment tab in Facebook pages. The first vulnerability allowed for the start time and end time of Facebook appointments to be the set to the same value making no available times for job interviews or services to be booked. Normally this wouldn’t be too impactful as an admin could just change the times back to normal but that’s where the second vulnerability comes into play. Providing a malformed time in the same graphql POST call to the max_advanced_notice parameter would then cause an integer overflow when trying to load the time schedule rendering it unchangeable and therefor locking in the previous vulnerability from being changed

Proof of Concept

1) Browse to your pages appointment settings

2) Hit change on the available appointment times

3) Intercept the POST request sent to /api/graphqlbatch/ to change the times

4) Edit the end_times and start_times parameters so they match (eg. end_times”:[540,540,540,540,540],”start_times”:[540,540,540,540,540])

5) Edit the max_advanced_notice parameter to a malformed/larger time (eg. 15552000000)

6) The appointment time settings should now be broken



Submitted- October 12th, 2018

Triaged- October 16th, 2018

Bounty Awarded($500)- December 14th, 2018

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store