Page Admin Disclosure via an Upgraded Page Post

src: https://www.askbuddie.com/blog/unauthorized-comments-on-facebook-live-stream/

Been in the bug bounty and/or ethical hacking scene for more than 4 years now and this is my first write-up (I hope you bear with me) since most of the programs I hunt into are not allowing disclosures. I mostly hunt vulnerabilities on Alibaba and other independent/private bug bounty programs.

Description

Soooo I was posting for a special event that happened in one of my organization’s pages. I upgraded that post through a prompt message, “” when suddenly I noticed an unusual behavior; it disclosed myself as one of the page admins publicly, through my profile’s Life Events section by redirecting any Facebook user who visits my profile to such Page Post after clicking on it. Thus, implying I’m one of the page’s admins.

Steps to replicate

  • UserA = Account who manages a Facebook Page (page admin)
  • UserB = Stalker/Attacker
  1. Using UserA, create a public post on the Page you are managing. Make sure that such post is congratulatory-worthy or something that would pop out the Life Event message enabling such post to be upgraded.

2. [Still UserA’s perspective] Once already posted, notice a prompt message on top of it saying: “It looks like something special happened. Want to make this post a life event?” which is then giving me two options, one is “No Thanks” which declines the post being upgraded and the other is “Upgrade Post” that enables such post to be upgraded. Click on the “Upgrade Post” button and supply the necessary details.

3. [Still UserA’s perspective] Go to your profile’s About Section Life Events [base url/username/about?section=year-overviews] and notice that the Life Event you posted via your page is listed there.

Or simply, go to your profile, scroll down to your Life Events section to verify.

4. [UserB’s perspective] UserB goes to UserA’s profile and clicks on any of UserA’s Life Events, it redirects UserB to the Page Post thereby validating/disclosing that UserA is an admin of that Page since it was linked to his or her personal account as a Life Event.

Impact

“This could have led to a page admin disclosure by upgrading a page post to a life event.” -Facebook

POC (Proof-of-Concept)

Timeline

December 19, 2019 :: Report Submitted

January 09, 2020 :: Triaged after several discussions

February 06, 2020 :: Fixed the bug

February 07, 2020 :: Bounty awarded

Got myself listed on Facebook’s Whitehat Hacker Hall-of-Fame (2019)
Number 65: https://www.facebook.com/whitehat/thanks/

Acknowledgment

Would like to thank Ajay Gautam and AJ Dumanhug for creating writeups that inspired me to hunt similar security issues on Facebook.

Ajay Gautam : https://medium.com/bugbountywriteup/page-admin-disclosure-facebook-bug-bounty-2019-ee9920e768eb

AJ Dumanhug : https://medium.com/bugbountywriteup/disclosure-of-facebook-page-admin-due-to-insecure-tagging-behavior-24ff09de5c29

Takeaways

  • Be observant of the slightest, smallest details. I always keep a checklist whenever I hunt for security issues on a particular platform. You might want to do it too.
  • Understand the platform’s features if it is showing any unusual behavior, and/or if privacy has been bypassed, then find strong, supporting details with what you found and discuss with them (security team) why that’s happening and why that’s a security issue to deal with.

Thanks for reading!

Connect with me on LinkedIn!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store