Facebook Vulnerability: Hidden “Community Manager” in Pages due to “Invitation Accept” logic
Community Managers can moderate comments in chat and mute and remove people who violate community standards. To add a community manager in our page, the page must be under “Gaming Video Creator” category.
When a page admin adds a community manager and changes the category of the page from “Gaming Video Creator” to any other (while the invite is still pending), afterwards, the page admin loses the control over community manager in page roles.
Page admins lose the control over “pending community manager invites” and “existing community managers” in page roles. This encourages “Community Managers” to misuse their privileges.
- Person1 goes to facebook.com/pages > create_page
- Enter page name and choose category as “Gaming Video Creator”
- Person1 goes to settings>page_roles>add_community_manager
- Person1 adds Person2 as community manager
- Invite is still pending (Person2 hasn’t yet accepted the invite)
- Meanwhile, Person1 goes to page_info and changes category from “Gaming Video Creator” to “Art”
- After the changes, Person1 goes to page_roles, he cannot find pending invite
- Now, as Person2 , accept the invite
- Person2 will be able to continue with his “Community Manager” privileges
- Person1 loses the control over Person2 in page_roles
Proof Of Concept video:
Note: Video is 9 minutes long, watch only if you’re patient enough. Otherwise, the above steps would suffice.
Oct 04: Report Sent
Oct 08: Reproduced by Kamala
Oct 14: Triaged by Hortons
Nov 27: Bounty of $500 awarded
Jan 21: Fixed by Facebook
You can reach out to me on Facebook. See ya :)