Sending Message as page being an analyst/ advertiser?

Baibhav Anand

Hello readers,

Today I will be telling you how I was able to send messages as a page being a page analyst/ advertiser.

According to this article from Facebook Analysts and Advertisers cannot send messages as page.

Here is how I managed to bypass it :

Setup : 3 Facebook accounts, Where User A should be the admin, User B is the attacker account here and User C is any random Facebook account.

Steps :

  1. Make User B an editor.
  2. User B must be using Facebook lite.
  3. Send the page a message from User C's account.
  4. User B in Facebook lite app will get a notification saying user C messaged to the page.
  5. User B will open the message.
  6. User A will now change user B's page role to Analyst.
  7. While User B is still in the inbox with user C, he/she will be able to send messages as page despite being page analyst or advertiser.

Here is a video POC :

As unfortunate as it could be for me, it got an internal fix.

Thank you for making it to the end of the article. Here is a Facebook bug bounty tip : While being in the session when you had privileges try changing your privilege and see if you can still perform certain tasks while still in that session.

Find me on Twitter :

Find me on Facebook :

Baibhav Anand

Written by

I am a security researcher from Nepal and also the Founder and CEO of BaiTux ( A cyber security based educational start up)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade