Page Admin Disclosure | Facebook Bug Bounty 2019

Ajay Gautam
Jun 22 · 2 min read

Hello everyone, I have not written a blog for a long time, so I thought of writing it in. Today, I am going to share one of my Facebook valid issue that I discovered in 2019.

Vulnerability Type: Privacy / Authorization

Product Area: Events

Title: Facebook Page admin Disclosure

Vulnerability Description:

While a page admin adds a co-host to some people to their created event then a notification is sent to the user that the page has made him the host of the event. While you will open the event, it will show you like someone (Name of the admin) has invited you to join the event but in actually it was leaking page admin name.

Impact of the Vulnerability:

· Page admin can be disclosed.

· Unauthorizedly an invitation is sent by the page admin to co-host user.

Steps I proceed to reproduce this issue:

1. Create an event from a page

2. Add another account (be sure he/she is not admin of the page) as a co-host in the event.

3. Open another account and click the notification about the co-host.

4. You will see the name of the admin that has added you as a co-host like this

Ajay Gautam invited you

Video POC

Timeline

Initial Report: Feb 11, 2019

Facebook Reproduced/Sent to Product Team: Feb 14, 2019

Fixed: March 18, 2019

Bounty Awarded: March 20, 2019 (1000$)

Contact Detail

ajay@nassincnepal.com

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring

Ajay Gautam

Written by

Chief Information Security Officer at Nass Inc Nepal

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring