Facebook Vulnerability: Hidden “Community Manager” in Pages due to “Invitation Accept” logic

Description:

Community Managers can moderate comments in chat and mute and remove people who violate community standards. To add a community manager in our page, the page must be under “Gaming Video Creator” category.

When a page admin adds a community manager and changes the category of the page from “Gaming Video Creator” to any other (while the invite is still pending), afterwards, the page admin loses the control over community manager in page roles.

Impact:

Page admins lose the control over “pending community manager invites” and “existing community managers” in page roles. This encourages “Community Managers” to misuse their privileges.

Reproduction Steps:

1. Person1 goes to facebook.com/pages > create_page
2. Enter page name and choose category as “Gaming Video Creator”
3. Person1 goes to settings>page_roles>add_community_manager
4. Person1 adds Person2 as community manager
5. Invite is still pending (Person2 hasn’t yet accepted the invite)
6. Meanwhile, Person1 goes to page_info and changes category from “Gaming Video Creator” to “Art”
7. After the changes, Person1 goes to page_roles, he cannot find pending invite
8. Now, as Person2 , accept the invite
9. Person2 will be able to continue with his “Community Manager” privileges
10. Person1 loses the control over Person2 in page_roles

Proof Of Concept video:

Note: Video is 9 minutes long, watch only if you’re patient enough. Otherwise, the above steps would suffice.

Timeline:

Oct 04: Report Sent

Oct 08: Reproduced by Kamala

Oct 14: Triaged by Hortons

Nov 27: Bounty of $500 awarded

Jan 21: Fixed by Facebook

Summary:

Thanks for reading. Shout-outs to Parul Mandloi (for challenging me)and Sameer (for giving me a target)

You can reach out to me on Facebook. See ya :)