[WRITE-UP] Facebook page admin disclosure by "Create doc" button (Bounty: 5000 USD)
Hi guys, it's Shubham Bhamare again. In this write-up, I'm going to tell you about my 2nd valid bug that I found on Facebook. This issue could've accidentally revealed the identity of the Facebook page admin by the "Create doc" button. This is one of the very special findings for me because the bounty I received for this report was beyond my expectations. 😃
So without wasting time, let's start! 👉
Setup and Scenario:
1) A Facebook user Sarah is the admin of Sarah's Page.
2) Sarah's Page is linked to Sarah's Group.
3) Sarah hasn't made herself an admin of the group because she doesn't want to disclose her identity.
4) So now it's clear that Sarah's Group has only one admin i.e. Sarah's Page. Sarah is just a member of that group and always acts as a page.
1) Using the Facebook web, acting as Sarah's Page, create a document in Sarah's Group with the "Create doc" button.
2) Before publishing that document, uncheck the option "Allow group members to edit this document". So that only the document owners or admins will be able to edit that document.
3) Now acting as Sarah's Page, edit and save that document.
4) Now if we see the version history of this document, there will be the name of Sarah.
The logic behind it:
It was easy for other group members to determine who was the admin of the page as only the document owner or admins were able to edit that document. Though there was the name of Sarah in edit history which was unintended.
Fix and Bypass:
When the team fixed this issue for the "Create doc" button which was present in the post editor, I found that there was another similar button on the "Files" page which was also vulnerable.
When the team was verifying the second fix, they internally identified 3rd vector that also could be abused.
5000 USD (This reward covers all three of those vulnerabilities. That's why I like Facebook bug bounty the most. 💙)
Oct 13, 2018: Report sent
Oct 17, 2018: Pre-triaged
Oct 17, 2018: Triaged
Oct 17, 2018: Sent additional information about another vulnerable "Create doc" button
Feb 09, 2019: Fixed completely
Feb 09, 2019: 5000 USD bounty awarded
1) Don't reveal your findings until you fully believe that there won't be any bypass for it. 😉 Check other endpoints/features too for similar issues.
2) Sometimes you just need logical thinking instead of any advanced tools or knowledge. Because Logic == Magic. 😊
3) Again, if you're new to Facebook bug bounty, try to find logical bugs the most.