Facebook Vulnerability: Unremovable Co-Host in facebook group events

Ritish Kumar Singh
Jun 19 · 2 min read

Description:

  1. There is an option to create event within a facebook group.
  2. Also, if an non-admin (member) creates an event in the group, the admins & moderators of the group automatically become the admin of that particular event.
  3. This means, for each and every event in the group there are two admins (event-creator & group manager).
  4. Also, there’s an option to add co-hosts to the event.
  5. So the event admins can add any member of the group as a co-host and they can accept the co-host invite by clicking on “going”.
  6. Now, in order to become an unremovable co-host , the attacker has to trick both types of admins (event-creator & group admin) at the same time.

How to trick the admins?

There are two ways to trick the admins of the event at the same time - Blocking and Deactivating

  • Deactivating: In this case, attacker deactivates his account when not in use, so that his name disappears from the co-host list. He can reactivate his account anytime to perform the attack & deactivate again.

Setup:

  • 3 facebook users (A,B,C).
  • A facebook group (B=admin , A=member, C=member).

Reproduction Steps:

  1. 'A' created an event in the group.
  2. 'A' adds 'C' as co-host.
  3. 'C' accepts co-host invite.
  4. ’C' deactivates his account.
  5. Now neither 'A' nor 'B' can see 'C' in Co-Host list.

Impact:

  • The attacker co-host can deactivate his account, so that he cannot be removed as co-host by event-creator or Group Admin.
  • To abuse this, attacker can reactivate his account anytime, make malicious changes to the event and deactivate again, so that he cannot be removed by anyone.

Timeline:

  • 09 April : Report Sent
  • 13 April : Reproduced by Dinesh
  • 15 April : Triaged by Andreas
  • 04 June : Fixed by facebook
  • 19 June : Bounty awarded ($500)