Facebook Vulnerability: Hiding from Facebook Page Admin(s) in /hacked workflow

Ritish Kumar Singh
Apr 2, 2019 · 3 min read
Image for post
Image for post

Hello guys, today I am going to discuss about a Facebook Vulnerability,which I discovered in October 2018. So,let’s get started!

Description:

Whenever a victim goes to www.facebook.com/hacked to secure his account, facebook allows to review some recent changes in the victim’s account.

When Victim reviews recent changes in his facebook page by clicking on “pages you manage” in www.facebook.com/hacked , he can see all the “page roles changes” in his pages since the creation of page.

But while testing, I found out that when an attacker admin/editor blocks the victim on facebook, his “role changes” disappears from the view of the victim in www.facebook.com/hacked.

Impact:

  • This could have let a malicious administrator hide their role within the /hacked flow

Setup:

Consider 2 users. Here victim=page admin & attacker= editor/admin/moderator/analyst/advertiser on same page

Reproduction Steps:

  1. Victim will go to m.facebook.com/hacked
Image for post
Image for post

4. Victim clicks on “Review”

Image for post
Image for post

5. Now victim can undo the roles changes that he didn’t intend to do.

6. Let us consider that the attacker has blocked the victim

Image for post
Image for post

7. Now victim will repeat the same process by going to /hacked workflow

8. Here victim can clearly see “Admin Changed” under “Pages you manage”

Image for post
Image for post

9. But when victim clicks on “Review” it shows “No recent Activity”

Image for post
Image for post

Timeline:

Oct.18: Report Sent

Oct.19: Reproduced by Peter

Oct.24: Triaged by Armin

Nov.06: Fixed

Nov.13: Bounty of $500 awarded by facebook

I found that the issue was not fixed on m.facebook.com/hacked & touch.facebook.com/hacked

Nov.14: Report Sent

Nov.20: Reproduced by Ed Kurson

Nov.26: Triaged by Roy

Dec.20: Fixed

Jan.15: Bounty of $500 awarded by facebook

Conclusion:

The issue is now fixed by facebook & cannot be reproduced anymore. This report helped me earn a total bounty of $1000.

Thanks everyone for taking time to read this. Pardon, for any grammatical mistakes. See you soon :)

Thank you!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store