[WRITE-UP] Facebook page admin disclosure by "Create doc" button (Bounty: 5000 USD)
Hi guys, it's Shubham Bhamare again. In this write-up, I'm going to tell you about my 2nd valid bug that I found in Facebook. This issue could've accidentally revealed the identity of Facebook page admin by "Create doc" button. This is one of the very special finding for me because bounty I received for this report was beyond my expectations. 😃
So without wasting time, let's start! 👉
Setup and Scenario:
1) A Facebook user Sarah is the admin of Sarah's Page.
2) Sarah's Page is linked to Sarah's Group.
3) Sarah haven't made herself as admin of the group because she don't want to disclose her identity.
4) So now it's clear that Sarah's Group has only one admin i.e. Sarah's Page. Sarah is just a member of that group and always act as page.
1) Using Facebook web, acting as Sarah's Page, create a document in Sarah's Group by "Create doc" button.
2) Before publishing that document, uncheck the option "Allow group members to edit this document". So that only document owner or admins will be able to edit that document.
3) Now acting as Sarah's Page, edit and save that document.
4) Now if we see the version history of this document, there will be the name of Sarah.
Logic behind it:
It was easy for other group members to determine who's the admin of the page as only document owner or admins was able to edit that document. Though there was the name of Sarah in edit history which was unintended.
Fix and Bypass:
When team fixed this issue for "Create doc" button which was present in post editor, I found that there was another similar button on "Files" page which was also vulnerable.
When team was verifying second fix, they internally identified 3rd vector that also could be abused.
5000 USD (This reward covers all three of those vulnerabilities. That's why I like Facebook bug bounty the most. 💙)
Oct 13, 2018: Report sent
Oct 17, 2018: Pre-triaged
Oct 17, 2018: Triaged
Oct 17, 2018: Sent additional information about another vulnerable "Create doc" button
Feb 09, 2019: Fixed completely
Feb 09, 2019: 5000 USD bounty awarded
1) Don't reveal your findings until you fully believe that there won't be any bypass for it. 😉 Check another endpoints/features too for similar issues.
2) Sometimes you just need logical thinking instead of any advanced tools or knowledge. Because Logic == Magic. 😊
3) Again, if you're new to Facebook bug bounty, try to find logical bugs the most.