Ritish Kumar Singh
Nov 15, 2018 · 2 min read

Facebook Vulnerability: Hiding from the view of Business Admin in the Business Manager

Hello Readers! My name is Ritish. I am 17 years old & I am currently pursuing B.Tech in Computer Science Engineering from Teegala Krishna Reddy Engineering College,Hyderabad,India.

Earlier this year, having managed facebook pages from 0 likes upto a million likes, I was bored with my daily routine. I tried to do something different in my life. And this is how I landed in Facebook Bug Bounty Program.

It was a Tough beginning, but as the time went on, I started understanding the areas where I need to concentrate. And today, after my 25 failed submissions (14 Informative, 11 Not-Applicable), I have finally received my first bounty from facebook.


Sept. 21: Report Sent

Sept. 25: Reproduced by Facebook

Sept. 25: Triaged

Nov. 07: Fixed

Nov. 07: I confirmed the fix

Nov. 14: Bounty of $500 awarded


Suppose Mr.A is an admin of a facebook page & Mr.E is an editor of that particular page. If Mr.E blocks Mr.A on Facebook , then Mr.E doesn’t show up in "PAGE ROLES" section of that page when viewed from Mr.A’s "Business Manager". That means Admin cannot remove that Editor from page while on "Business Manager" because he cannot see editor’s facebook account in Page Roles section.


An editor can block the admin on facebook and can get access to editor’s tools on that page as an "hidden editor" without the possibility of getting removed while the admin is on Business Manager.

Reproduction Steps:

1) User "A" creates a page and Adds that page in his Business Manager account

2) User "A" adds User "B" as an editor on his page

3) User "B" blocks User "A" totally on facebook

4) User "A" goes to business.facebook.com

5) On Top Right corner he clicks on "Business Settings"

6) On left sidebar we can see "Pages" option

7) Click on "Pages"

8) Now we can see "Assigned people & Partners"

9) Search for the name of User "B" in that list

10) We cannot find his name there!!

I would like to thank all my fellow researchers in the Facebook Bug Bounty Community for helping me out extensively whenever I had any doubts.

I would also like to thank the facebook security team for giving me an opportunity to participate in the Bug Bounty Program & protecting billions of users from security attacks.

Thanks again!

Have a great day ahead ☺

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store