Posting on groups as people whenever their email was known by an attacker.

Zahid Ali
Zahid Ali
Jun 29, 2017 · 2 min read

Summary :

‘’Facebook groups are one of the most popular features where people discuss anything under the sun. There have been instances where such discussions have landed people in jail. That being the case, what if I could post something on behalf of you in a Facebook group? Well, the after effect depends on what I post on your behalf, Doesn’t it? Apparently there existed a vulnerability which could let you spoof anyone and post anything to a Facebook group.’’

Hey Everyone! I hope you all doing well, Today i want to share an issue i found in Facebook groups. I was looking for some other ways to post in Facebook groups which landed me to this link;

According to the link we need to set a slug for our group and then group members/admins (only) can use email to post in group;

User emails “Hello test post” to
- Facebook checks sender email is a group member or not
- If member, the email content get posted in group

So after understanding the feature i quicky set up a SMTP (used smtp2go), and a perl script called “sendemail” to send emails using our smtp server.

Command — perl -f -t -u Hello -m Whatsup -s smtp_host -xu smtp_username -xp smtp_password

Where -f = From Sender

  • -t = Target Email
  • -u = Subject
  • -m = message
  • -s = SMTP host with port
  • -xu = SMTP username
  • -xp = SMTP password

Response — Email sent successfully

I quickly refreshed group and found out that it was posted successfuly in the group :d

The only catch here was that you should be knowing the email address to spoof a member of a group. But there was a way around for this as well.

Proof of concept video

Thanks to Facebook for quick fix and for generous bounty amount.

  • Initial Report Sent — Wed, Jun 14, 2017 at 6:45 AM
  • Escalation by Facebook — Sat, Jun 17, 2017 at 5:00 AM
  • Fixed by Facebook — Same Day
  • Bounty Awarded by Facebook — Thu, Jun 29, 2017 at 12:59 AM - (7500usd)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store