Facebook page admin disclosure by "Message Seller" button (Bounty: 1500 USD)

Hi guys, I’m Shubham Bhamare from Maharashtra, India. As I promised in my previous write-up, here’s my first Facebook bug bounty write-up. Finally! 😂

I know it’s too late to publish this write-up as this bug was found and rewarded in 2018. I’m extremely sorry for that. Anyways, I’m going to publish all my other findings too in coming days.

So without wasting time, let's start! 👉

===

Description:

This issue could've accidentally revealed the identity of Facebook page admin under certain circumstances.

In Facebook, page admin’s roles are secret. Disclosing the identity of page admin may cause a significant privacy issue. In this case, it was possible to disclose the identity of page admin under certain circumstances.

===

Setup:

2 Facebook users i.e. Shubham and John

1 Facebook page i.e. Shubham's Page

1 Facebook group i.e Shubham's Page group

Platform: Facebook web

===

Scenario:

As mentioned above, there are 2 Facebook users i.e. Shubham and John.

Shubham is the admin of Shubham's Page.

Shubham's Page is linked to Shubham's Page group which is a group for Shopping. Post approval for this group is turned on.

John is the member of said group.

Shubham haven't made himself as admin of a group because he don't want to disclose his identity.

So now that group has only one admin i.e. Shubham's Page.

Shubham is just a member of that group and always act as a page.

===

Reproduction steps:

1) From John's account, create a selling post in group.

2) Post will be sent to admin for approval.

3) Now from Shubham’s account (acting as a page), click on the "Message Seller" button at the bottom of above unapproved post and send message.

4) Message will be sent from Shubham's personal profile instead of page. Which is unintended.

===

Logic behind it:

It’s easy for John to determine who’s the admin of the page as there’s only one group admin (Shubham’s Page) who can see that unapproved post.

===

Fix:

Team fixed this issue by removing the "Message Seller" button when acting as a page.

===

Bypass:

I found that fix was incomplete as this issue was still working on old unapproved posts.

===

Bounty:

1500 USD

===

Timeline:

Sep 09, 2018: Report sent
Sep 11, 2018: Pre-triaged
Sep 12, 2018: Triaged
Oct 13, 2018: Fixed
Oct 13, 2018: Fix bypassed
Oct 23, 2018: Fixed completely
Nov 03, 2018: 1500 USD bounty awarded

===

Takeaway(s):

1) If you're new to Facebook bug bounty, try to find logical bugs the most.

2) Always try to find bypass.

===

Thank you for reading! My next write-up will be about my second bug in Facebook (Bounty: 5000 USD). So stay tuned and don’t forget to follow me on Facebook, Twitter, Instagram and Medium. 😊

===

An ORDINARY guy with EXTRAORDINARY dreams!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store