Workplace is Facebook's child. It has community and within it there could be groups. Now there could be groups that are created outside the community. The Group of Workplace has a feature called Events , that can let its members to create Events as well as edit them. When a user has created an Event in a Group and later if he is kept in mute, he could change the details like the Name of the Event and locaiton. But while muting a user this is the alert shown in the UI What it says is it only allows to VIEW the group. When it says why it allowed the Group to be edited.. Now, when the same member is muted in the group he can only view the contents in the Group. Here's something which is ironic, THE STATUS. When the event editing isn't allowed the status also must be the same. So, when a user has updated a status in the Group and edits it and captures the HTTP request. THe HTTP Request would be as follows. POST /webgraphql/mutation/?doc_id=1396480790477967 HTTP/1.1 Host: my.
Hi ! I'm a Sofware Engineer, strive to exploit security flaws only on Tech giants, though all the time my attacks go into the graveyard 😕. Guitar🎸 | Bug Bounty🐞🤑 | Love life