Disclosure of Facebook Page Admin due to insecure tagging behavior

Aj Dumanhug
Sep 9, 2018 · 3 min read
Photo from http://milingona.al/

It was a sunny afternoon while I’m driving back home from attending our class in Masters at Holy Angel University, I saw something interesting in my notification tab on Facebook App.

My company Secuna, sponsored a cybersecurity event called Haxxor. It’s a whole day event with cybersecurity talks and capture the flag activity which was held by the Association for Computing Machinery (ACM) University of the Philippines Diliman Student Chapter.

Someone with Admin or Editor role from their Facebook Page mentioned our Facebook Page, Secuna. The interesting part here is the notification I received from them. Instead of “Association for Computing Machinery — UP Diliman Student Chapter, Inc. mentioned Secuna blah blah blah”, I received something like this: “{Admin or Editor of the page} mentioned Secuna blah blah blah”.

So I decided to replicate it by mentioning a Facebook page using my own Facebook page. You can mention a Facebook page in a post status, description of an album, cover photo, profile picture, comment and many more ways.

Embedded video below is a proof of concept of the security vulnerability.

I also found another way of Facebook page admin disclosure while the Facebook Security team fixing the first bug I reported. The another bug was found in Facebook Page Carousel Ad.

Facebook resolved the two security vulnerabilities I reported.

Additional Information: You can stop allowing others to tag or mention your Facebook page. Just click the link below to know how.

Timeline:
June 2, 2018: Report sent to Facebook Security Team
June 14, 2018: Aaron from Facebook Security Team replied that they are sending it to the appropriate product team for further investigation.
June 21, 2018: Aaron replied that the vulnerability has been patched.
June 21, 2018: I replied that the vulnerability is no longer working.
June 22, 2018: I submitted another report with same issue but in different way.
June 27, 2018: Facebook Security Team rewarded me bounty for the first vulnerability.
June 29, 2018: Stephen from Facebook Security Team replied that they managed to reproduce the vulnerability.
June 29, 2018: Stewie from Facebook Security Team replied that they are sending the second vulnerability to the appropriate product team for further investigation.
July 11, 2018: Stewie replied that the second vulnerability has been patched.
July 11, 2018: I replied that the vulnerability is no longer working and asked why they didn’t consider my second report as duplicate of the first vulnerability I reported.
July 11, 2018: Stewie answered my question.

“Even though it appears that one is on cover photo and the other issue is on Ads, if you think about what actually caused this, it was the tagging behavior. Basically we did not properly represent the presence of the tagger in some cases. Sorry that I cannot give too much details but I hope you find my answer reasonable.”

July 11, 2018: I acknowledged her answer and thanked them for resolving the vulnerability.
July 18, 2018: Facebook Security Team rewarded me another bounty for the second vulnerability.

Aj Dumanhug

Written by

CTO /CISO at Secuna, Moderator at hackstreetboys, Cybersecurity Trainer at UP and Adamson. Cybersecurity PH CERT and ROOTCON 13 CTF Champion.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade