Facebook Vulnerability: Hiding from Facebook Page Admin(s) in /hacked workflow

Hello guys, today I am going to discuss about a Facebook Vulnerability,which I discovered in October 2018. So,let’s get started!

Description:

Whenever a victim goes to www.facebook.com/hacked to secure his account, facebook allows to review some recent changes in the victim’s account.

When Victim reviews recent changes in his facebook page by clicking on “pages you manage” in www.facebook.com/hacked , he can see all the “page roles changes” in his pages since the creation of page.

But while testing, I found out that when an attacker admin/editor blocks the victim on facebook, his “role changes” disappears from the view of the victim in www.facebook.com/hacked.

Impact:

  • This could have let a malicious administrator hide their role within the /hacked flow
  • I identified an issue where the check-point flow didn’t show content from a user who had blocked the victim.

Setup:

Consider 2 users. Here victim=page admin & attacker= editor/admin/moderator/analyst/advertiser on same page

Reproduction Steps:

  1. Victim will go to m.facebook.com/hacked
  2. Victim will click on “I found a post,message or event that I didn’t create”
  3. Victim clicks on “Pages you manage”

4. Victim clicks on “Review”

5. Now victim can undo the roles changes that he didn’t intend to do.

6. Let us consider that the attacker has blocked the victim

7. Now victim will repeat the same process by going to /hacked workflow

8. Here victim can clearly see “Admin Changed” under “Pages you manage”

9. But when victim clicks on “Review” it shows “No recent Activity”

Timeline:

Oct.18: Report Sent

Oct.19: Reproduced by Peter

Oct.24: Triaged by Armin

Nov.06: Fixed

Nov.13: Bounty of $500 awarded by facebook

I found that the issue was not fixed on m.facebook.com/hacked & touch.facebook.com/hacked

Nov.14: Report Sent

Nov.20: Reproduced by Ed Kurson

Nov.26: Triaged by Roy

Dec.20: Fixed

Jan.15: Bounty of $500 awarded by facebook

Conclusion:

The issue is now fixed by facebook & cannot be reproduced anymore. This report helped me earn a total bounty of $1000.

Thanks everyone for taking time to read this. Pardon, for any grammatical mistakes. See you soon :)

Thank you!