Facebook Page admin disclosure

I’m here again to share my 2nd and 3rd valid report. It’s all about page admin disclosure in Facebook Lite. In my Initial report, Facebook security team says its not valid because my Initial report is admin disclosure through reaction. When I create a post and click "View Post" then tried to react in my own post or in any random comment in my new post, my personal account reflected to who’s reacted instead of my page. Facebook security team clarify that anyone can react in any public post/comment so its hard to identify that its from the admin of the page.

After a few days I found a bug that related to my last report. With all the same procedure, the comment section can disclose admins personal account. Without any sign that you're interacting to your page as your profile, your personal account interact to the page. So I open my last report to discuss my concern and they easily identify what It is.

Steps to reproduce:

1. Create post in page using Facebook Lite
2. Instead of clicking "Close" click "View Post" and comment anything.

When admin click "View Post" they're interacting to the page as follower so when they want to comment something, their personal identity interact to the page.

//Now they removed that "View Post" thingy

First PoC(Not Valid)
https://drive.google.com/file/d/12OpcZkSFTykcYEoEVM5qWo0MRASpUtIb/view?usp=drivesdk

Second PoC(Valid)
https://drive.google.com/file/d/124J7niY3bapvroQIRuiobXTR6pPG4MRH/view?usp=drivesdk

While waiting to fixed that report, I found again one interesting bug that could lead to admin disclosure. When a page admin taps any comment notification from the page using Facebook Lite, comments they make at that time would be posted with their personal identity. I wait to fix my current report before submitting a new report because they're currently working at this product. And after one week of waiting my report is fixed and I'm lucky that this bug is still exist. So I submit this as new report and it's triage in less than 24 hours. After 5 days they said that it's already fixed but I noticed that when a notification is direct to reply someone's comment, still personal profile of the admin interact to the page.

Steps to reproduce:

UserA = Page Admin
UserB = follower of the page
1. UserA create a post in page
2. UserB comment on that post
3. In Facebook Lite, UserA taps that comment notification from page.
4. UserA reply to UserB.

PoC (Initial Report)
https://drive.google.com/file/d/129fM5t-7EAeFiXzWPHs0GTAtNqi7hPjM/view?usp=drivesdk

PoC (Bypassed)
https://drive.google.com/file/d/12AVF-e90zmVeZuqH57gcoeyRGHUfCMbK/view?usp=drivesdk

Timeline:
06 June 2021 : Initial report
09 June 2021 : Facebook security team says its not valid
12 June 2021 : Review Requested
16 June 2021 : Manage to reproduce and Triage
24 June 2021 : Fixed
25 June 2021 : Rewarded $xxx
===
25 June 2021 : submit new report
25 June 2021 : Triaged
30 June 2021 : Fixed and Triaged (There’s some needed to fix)
20 July 2021 : Fixed
23 July 2021 : Rewarded $xxx

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store