Facebook Vulnerability: Hiding from Facebook Page Admin(s) in /hacked workflow
Hello guys, today I am going to discuss about a Facebook Vulnerability,which I discovered in October 2018. So,let’s get started!
Whenever a victim goes to www.facebook.com/hacked to secure his account, facebook allows to review some recent changes in the victim’s account.
When Victim reviews recent changes in his facebook page by clicking on “pages you manage” in www.facebook.com/hacked , he can see all the “page roles changes” in his pages since the creation of page.
But while testing, I found out that when an attacker admin/editor blocks the victim on facebook, his “role changes” disappears from the view of the victim in www.facebook.com/hacked.
- This could have let a malicious administrator hide their role within the /hacked flow
- I identified an issue where the check-point flow didn’t show content from a user who had blocked the victim.
Consider 2 users. Here victim=page admin & attacker= editor/admin/moderator/analyst/advertiser on same page
- Victim will go to m.facebook.com/hacked
- Victim will click on “I found a post,message or event that I didn’t create”
- Victim clicks on “Pages you manage”
4. Victim clicks on “Review”
5. Now victim can undo the roles changes that he didn’t intend to do.
6. Let us consider that the attacker has blocked the victim
7. Now victim will repeat the same process by going to /hacked workflow
8. Here victim can clearly see “Admin Changed” under “Pages you manage”
9. But when victim clicks on “Review” it shows “No recent Activity”
Oct.18: Report Sent
Oct.19: Reproduced by Peter
Oct.24: Triaged by Armin
Nov.13: Bounty of $500 awarded by facebook
I found that the issue was not fixed on m.facebook.com/hacked & touch.facebook.com/hacked
Nov.14: Report Sent
Nov.20: Reproduced by Ed Kurson
Nov.26: Triaged by Roy
Jan.15: Bounty of $500 awarded by facebook
The issue is now fixed by facebook & cannot be reproduced anymore. This report helped me earn a total bounty of $1000.
Thanks everyone for taking time to read this. Pardon, for any grammatical mistakes. See you soon :)