A serious security flaw affected the Facebook Page feature that could potentially trigger a mess for the admins. As revealed, exploiting this Facebook Page vulnerability could allow an adversary to create invisible posts on the target pages.
Facebook Page Vulnerability
Security researcher Pouya Darabi has recently shared his findings regarding a major security vulnerability targeting the Facebook Page feature.
Sharing the details in a blog post, Darabi revealed that the vulnerability specifically existed in the feature that manages to create hidden posts on Facebook Pages. These “invisible” posts do not appear publicly. It means they are unlisted from the feed. Yet, they bear an ID and a link that redirects anyone with the link to the post.
This is what an adversary could exploit. The bug allowed a potential attacker to create a post that would supposedly originate from the target Facebook Page. The victim could even include a verified Facebook page. However, the relevant page’s admins would never see the post, nor could delete it.
To demonstrate the exploit, the researcher created an invisible post on his own Page. After that, the researcher changed the page ID to a hypothetical one. Thus, creating a post from the victim page. This change processed seamlessly, where Facebook already considered the researcher to have an advertiser role on the target page.
As stated in the post,
page_idbefore saving the mockup in Graphql request and then getting back the sharable link for it, gives us the ability to create a post on any page. All we need to do is to find the
post_idthat exists on any ad preview endpoints.
The following video demonstrates the exploit.
Facebook Awarded $30K Bounty
Following his report, Facebook fixed the bug whilst rewarding the researcher with a $15,000 bounty.
However, the researcher bypassed the fix by exploiting the ‘send to mobile’ feature that allowed the post without permission check. Hence, he reached out to Facebook again, this time, with the bypass exploit.
Following this report, Facebook worked again to deploy a fix. Whereas, the researcher received another bounty of $15,000 for the report.