Disclosure of Facebook Page Admin due to insecure tagging behavior

Photo from http://milingona.al/

It was a sunny afternoon while I’m driving back home from attending our class in Masters at Holy Angel University, I saw something interesting in my notification tab on Facebook App.

My company Secuna, sponsored a cybersecurity event called Haxxor. It’s a whole day event with cybersecurity talks and capture the flag activity which was held by the Association for Computing Machinery (ACM) University of the Philippines Diliman Student Chapter.

Someone with Admin or Editor role from their Facebook Page mentioned our Facebook Page, Secuna. The interesting part here is the notification I received from them. Instead of “Association for Computing Machinery — UP Diliman Student Chapter, Inc. mentioned Secuna blah blah blah”, I received something like this: “{Admin or Editor of the page} mentioned Secuna blah blah blah”.

So I decided to replicate it by mentioning a Facebook page using my own Facebook page. You can mention a Facebook page in a post status, description of an album, cover photo, profile picture, comment and many more ways.

Embedded video below is a proof of concept of the security vulnerability.

I also found another way of Facebook page admin disclosure while the Facebook Security team fixing the first bug I reported. The another bug was found in Facebook Page Carousel Ad.

Facebook resolved the two security vulnerabilities I reported.

Additional Information: You can stop allowing others to tag or mention your Facebook page. Just click the link below to know how.

Timeline:
June 2, 2018: Report sent to Facebook Security Team
June 14, 2018: Aaron from Facebook Security Team replied that they are sending it to the appropriate product team for further investigation.
June 21, 2018: Aaron replied that the vulnerability has been patched.
June 21, 2018: I replied that the vulnerability is no longer working.
June 22, 2018: I submitted another report with same issue but in different way.
June 27, 2018: Facebook Security Team rewarded me bounty for the first vulnerability.
June 29, 2018: Stephen from Facebook Security Team replied that they managed to reproduce the vulnerability.
June 29, 2018: Stewie from Facebook Security Team replied that they are sending the second vulnerability to the appropriate product team for further investigation.
July 11, 2018: Stewie replied that the second vulnerability has been patched.
July 11, 2018: I replied that the vulnerability is no longer working and asked why they didn’t consider my second report as duplicate of the first vulnerability I reported.
July 11, 2018: Stewie answered my question.

“Even though it appears that one is on cover photo and the other issue is on Ads, if you think about what actually caused this, it was the tagging behavior. Basically we did not properly represent the presence of the tagger in some cases. Sorry that I cannot give too much details but I hope you find my answer reasonable.”

July 11, 2018: I acknowledged her answer and thanked them for resolving the vulnerability.
July 18, 2018: Facebook Security Team rewarded me another bounty for the second vulnerability.