Hello everyone, I have not written a blog for a long time, so I thought of writing it in. Today, I am going to share one of my Facebook valid issue that I discovered in 2019.
Vulnerability Type: Privacy / Authorization
Product Area: Events
Title: Facebook Page admin Disclosure
While a page admin adds a co-host to some people to their created event then a notification is sent to the user that the page has made him the host of the event. While you will open the event, it will show you like someone (Name of the admin) has invited you to join the event but in actually it was leaking page admin name.
Impact of the Vulnerability:
· Page admin can be disclosed.
· Unauthorizedly an invitation is sent by the page admin to co-host user.
Steps I proceed to reproduce this issue:
1. Create an event from a page
2. Add another account (be sure he/she is not admin of the page) as a co-host in the event.
3. Open another account and click the notification about the co-host.
4. You will see the name of the admin that has added you as a co-host like this
Ajay Gautam invited you
Initial Report: Feb 11, 2019
Facebook Reproduced/Sent to Product Team: Feb 14, 2019
Fixed: March 18, 2019
Bounty Awarded: March 20, 2019 (1000$)