Facebook Vulnerability: Unremovable Co-Host in facebook group events

Ritish Kumar Singh
Jun 19, 2019 · 2 min read
Image for post
Image for post

Description:

  1. There is an option to create event within a facebook group.

How to trick the admins?

There are two ways to trick the admins of the event at the same time - Blocking and Deactivating

  • Blocking: In this case, attacker has to block each and every current admin of the event individually.

In blocking scenario, the current admins can add new admin & kick out the attacker. Because the attacker has blocked only the current admins, attacker can’t guess the “Surprise Admins”.

But in deactivation scenario, adding surprise admins doesn’t resolve the issue because the attacker’s account is deactivated and hidden from 2B users. So this is the preferred attack.

Setup:

  • 3 facebook users (A,B,C).

Reproduction Steps:

  1. 'A' created an event in the group.

Impact:

  • The attacker co-host can deactivate his account, so that he cannot be removed as co-host by event-creator or Group Admin.

Timeline:

  • 09 April : Report Sent

Thanks for reading! I tried to make it as informative as possible for the people who are less familiar with facebook “group” events. Also, I tried to highlight upon the way to approach a basic vulnerability.

See you soon ;) . You can reach out to me on facebook.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store