Facebook Vulnerability: Unremovable facebook group admin

Hello readers, welcome again. Today I am going to share the details of a recent vulnerability I caught in Facebook Groups.

Timeline:

Nov. 25: Report Sent

Dec. 04: Reproduced by Facebook

Dec. 05: Triaged

Jan. 03: Fixed

Jan. 03: I Confirmed the fix

Jan. 15: Bounty of $500 awarded

Description:

There is an option to manage your facebook group while interacting as your facebook page instead of your personal profile. Before getting started,I want you to be familiar with some important points related to a facebook group.

1. Group Creator: A group creator can add any number of admins and moderators & he cannot be removed by other admins.
2. Linked Page: Admins can link their facebook page to the group & manage the group by interacting as page instead of their personal profile.
3. Published page: The contents of a published facebook page is always visible to the public. But an unpublished page is not visible to public. It is only visible to the people who manage the page.

So, one day the idea of unpublished pages popped in my head. I questioned myself- “If a group creator is not an admin on my page and I link my page to the group & unpublish it, will he be able to see my page in list of admins?”

Then I immediately took my phone & tested it. But Group creator was able to see my page in “Admins list”. Then I clicked on “remove” button & bang!! The group creator always encountered an error message while removing the unpublished page as an admin. I tested this on multiple versions & was vulnerable on all versions except the Desktop version.

Impact:

1. A malicious group admin can add an unpublished page as an admin which cannot be removed by other admins & group creator.
2. Since a linked page is always an admin, all the people who manage the page can access the admin tools. If the malicious admin is kicked out as an admin on the group, he can still access the admin tools of the group by publishing the page whenever he wants & unpublishing it again.

Limitation:

1. The attacker must be already an group admin.
2. It was not vulnerable on desktop version. Hence, only mobile users were affected.

Reproduction Steps:

Setup
===
* 2 facebook accounts (Admin1, Admin2)
* A facebook page (Admin2 is admin)

Steps
===
1. Admin1 created a facebook group (Original creator, cannot be removed by other admins)
2. Admin1 added Admin2 as an admin (Admin2 = Attacker)
3. Admin2 linked his page to the group.
4. Admin2 unpublished the page.
5. Now when Admin1 accesses the group on any version of facebook except the desktop version, he cannot remove the page as an admin.

Summary:

This Vulnerability has been fixed by facebook & it cannot be reproduced anymore.

I thank the facebook security team for the Bounty & allowing me to participate in their Bug Bounty Program.

Moreover, I thank the readers for reading my write-up patiently. I tried to make it as informative as possible. Sorry for any grammatical mistakes.

I have few more write-ups to publish, see you soon ☺

This story is published in Noteworthy, where 10,000+ readers come every day to learn about the people & ideas shaping the products we love.

Follow our publication to see more product & design stories featured by the Journal team.