Facebook Vulnerability: Unremovable Co-Host in facebook group events
- There is an option to create event within a facebook group.
- Also, if an non-admin (member) creates an event in the group, the admins & moderators of the group automatically become the admin of that particular event.
- This means, for each and every event in the group there are two admins (event-creator & group manager).
- Also, there’s an option to add co-hosts to the event.
- So the event admins can add any member of the group as a co-host and they can accept the co-host invite by clicking on “going”.
- Now, in order to become an unremovable co-host , the attacker has to trick both types of admins (event-creator & group admin) at the same time.
How to trick the admins?
There are two ways to trick the admins of the event at the same time - Blocking and Deactivating
- Blocking: In this case, attacker has to block each and every current admin of the event individually.
- Deactivating: In this case, attacker deactivates his account when not in use, so that his name disappears from the co-host list. He can reactivate his account anytime to perform the attack & deactivate again.
In blocking scenario, the current admins can add new admin & kick out the attacker. Because the attacker has blocked only the current admins, attacker can’t guess the “Surprise Admins”.
But in deactivation scenario, adding surprise admins doesn’t resolve the issue because the attacker’s account is deactivated and hidden from 2B users. So this is the preferred attack.
- 3 facebook users (A,B,C).
- A facebook group (B=admin , A=member, C=member).
- 'A' created an event in the group.
- 'A' adds 'C' as co-host.
- 'C' accepts co-host invite.
- ’C' deactivates his account.
- Now neither 'A' nor 'B' can see 'C' in Co-Host list.
- The attacker co-host can deactivate his account, so that he cannot be removed as co-host by event-creator or Group Admin.
- To abuse this, attacker can reactivate his account anytime, make malicious changes to the event and deactivate again, so that he cannot be removed by anyone.
- 09 April : Report Sent
- 13 April : Reproduced by Dinesh
- 15 April : Triaged by Andreas
- 04 June : Fixed by facebook
- 19 June : Bounty awarded ($500)
Thanks for reading! I tried to make it as informative as possible for the people who are less familiar with facebook “group” events. Also, I tried to highlight upon the way to approach a basic vulnerability.
See you soon ;) . You can reach out to me on facebook.