Facebook Bug : Sending messages as a page with jobmanager permission

Hey , One of my college friend called me , and said she wants to hire some content creators and graphic designers for her page , She was asking for an efficient way of hiring ,I told her about “Facebook Jobs”and how she can find/recruit creators using this feature.

Facebook Jobs

Anyone can find jobs in the Jobs dashboard at facebook.com/jobs and the “Jobs” option in the “Explore” section on mobile, by clicking the Jobs icon in Marketplace, or visiting the Jobs tab of a business’ Page.

Confusion for her

She isnt tech savvy, so she asked me if I can create and publish jobs on behalf of her page, I agreed and asked her to assign me as a “Jobmanager” of her page.

A lil about “Jobmanager”

Facebook allows 6 different roles for Facebook Pages ,among those one role is of “Jobmanager”

Privileges of Jobmanager :

  • View insights.
  • Create ads, promotions or boosted posts.
  • View Page Quality tab.
  • See who published as the Page.
  • Publish and manage jobs.

Trynna helping her

Accidentally she added me as an Admin of her page, instead of adding me as a jobmanager. I tried sending message to her , telling about the fact that she added me as an admin, so I sent a message to her using her page.(https://www.facebook.com/{page-username}/inbox/).

After recieving my message she changed my role permission to “Jobmanager”. Jobmanager has no access to the Page’s Inbox, But I havent refreshed the inbox page yet, So the page inbox was still in front of me , I thought of testing role permission issues there, So I tried to open the page’s inbox (https://www.facebook.com/{page-username}/inbox/) in a new tab , I got error.(that was pretty obvious as Jobmanager has no access to the page’s inbox). That inbox page was still infront of me , as I haven’t refreshed the page, I asked my friend to send a message to her facebook page, I thought maybe I can read new messages from existing inbox tab, But this also failed , “No new messages arrived”. I then tried sending message to her from the same inbox page that was still non-refreshed(I knew that, if I will refresh the page , that inbox page will no longer be available.), And Boom , I was able to send message from the existing page.

Note : I was not able to receive new messages , But I was able to send messages to anyone from that existing/non-refreshed inbox page with jobmanager permissions.

Diagrammatic Representation of the flow

Image for post
Image for post
simple asf

I reported the issue soon after the discovery.

Sadly they marked the bug as “Duplicate”.

Image for post
Image for post

Video PoC :

https://youtu.be/rztZkCVE6Rk

Takeaways :

  • Change the role permissions(do not refresh the existing tabs) and try to escalate previleges.
  • Spend time reading about “Facebook help posts” and important announcements in facebook newsroom.(expecially when it comes to these kind of bugs)
  • Sometimes there is no need of bypasses , (like in this case, The issue was direct).
  • Duplicates/Informatives are the part of the game, Keep playing :)

Timeline :

[29 may 2019] : Bug submitted

[1 june 2019] : Bug Reproduced by FB security team.

[6 june 2019] : Bug marked as Duplicate.

[15 july 2019] : Retested , Bug Fixed

wanna connect ?

Facebook : https://facebook.com/devansh.batham

Twitter : @devanshwolf

Written by

Lazy by day , Hacker by night

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store