Facebook Vulnerability: Unremovable Co-Host in facebook page events

Ritish Kumar Singh
Jul 4 · 2 min read

Description:

When an Admin of an Event adds a co-host, they must be able to remove the co-host without any interruptions.

But here, when a attacker page is added as co-host and the attacker page enables Country/Age Restriction, then the original Admin will not be able to remove the attacker page as a co-host of that event.

How to apply Country Restriction accurately?

Now-a-days, Facebook is showing Primary Location of Facebook pages. This gives Attacker an idea, which country the admins actually belong to. If admins are from multiple countries, Include all those countries in Country Restriction.

But,victim can use VPN?

First of all victim must know which type of attack is carried out. He would generally think that the Attacker-Page has declined the request (or) withdrew as co-host. In most of the cases, it is not possible to find out the exact attack.

Also, Victim cannot change his age using VPN, in-case he falls in the age-restricted category. We can spoof Location using VPN,but not age ;)

Impact:

This bug allowed page co-hosts to prevent other hosts from removing them.

Reproduction Steps:

1. Victim will go to his page>events>create event

2. Victim adds Attacker-Page as co-host.

3. Attacker goes to page>events>accept invite

4. Attacker goes to page>settings>general>Age/Country Restriction

5. Attacker enables Demographic restrictions.

6. Now victim will try to see co-host, no co-host found.

7. But the Co-Host can still edit the event..

Proof of Concept video:

Timeline:

Apr 05: Report Sent

Apr 09: Reproduced by Kamala

May 03: Triaged by Ibrahim

Jul 03: Fixed by facebook

Jul 03: Bounty of $500 awarded

Thanks for reading! I tried to make it as informative as possible. Also, I tried to highlight upon the way to use multiple features to approach a basic vulnerability. Sorry, for any grammatical errors.

See you soon ;) . You can reach out to me on facebook.