By Shubham Bhamare

The Admin's identity is a well kept secret among Facebook Pages, and its important for Facebook Pages to be able to function normally with the Page Admins kept anonymous by design. Anonymity and Privacy of Page Admins are a matter of great concern and the Facebook security team has paid great concern to such issues related to page admin identity leaks.

The Story

Back in 2018, I spotted a vulnerability in Facebook that could have exposed the identity of Facebook page admins if they had the page linked to a group with marketplace features enabled, and posts were subject to approval on the Page's group.

Disclosing the Page Admin identity is considered a serious vulnerability as it can affect the anonymity of the page admin, which is ingrained in Facebook's privacy model.

The Bug

The bug was found on the Facebook web version.

I created two users - User A and User B, where User A owned a Facebook page, and User B was part of the group which was linked to User A's page, and the group had marketplace feature enabled (along with post moderation, which most groups enable nowadays to combat with spam). This happened in the case of Groups owned by Facebook Pages.

The Weird Case

Group owned by Page

User A, was the Page admin and controlled the Page's group as well, however it was not readily known to any member whether User A also controlled the Group as Group admin, and the Group appeared to be owned by User A's page (and not User A himself).

If User B, who is a member of User A's group posts a listing for selling an item on the Page's group, since it only allowed approved posts – the post would appear in the moderation queue for User A who was the Page admin.

User B makes a "For Sale" listing (post) on the Page's group

After posting the advertisement to the group, User B needs to wait for the Admin to moderate his post.

There was a feature that allowed any group member to Message the Seller about the sale listing. However, this also appeared when the post was in the moderation queue.

Feature that allowed Messaging the seller on Group post

The Accidental Identity Disclosure

Messaging the Seller button feature is supposed to help users in reaching out to the owner of the sale listing in order to communicate about the deal. However, in case – the post was pending moderation, it was possible that an Admin of the page who moderated the group to click on this button.

Once the post enters the moderation queue, if User A who is the Page Admin and also moderates the Page's group clicked on the Message Seller button on the listing posted by User B, he would be sending a message to User B. This could have accidentally exposed the Page Admin or, User A's identity to User B.

Thus, if it was not moderated yet and not viewable by any other member – it's fair to assume User A was the admin of the Page, and also moderated the Page's group.

User A's identity disclosed while messaging the seller (User B)

The Fix

Remove the malfunctioning button from the posts when the group moderator was acting as a Page or, moderating posts on the group's behalf.

Incomplete Fix

Even after the Facebook Security team fixed this by disabling the Message Seller button when the group moderator acted as Page admin and owned the group as a Page, the button was still working on older unapproved posts. Thus, still potentially allowing malicious group members to abuse this feature to reveal Page admins

The Bounty

The Facebook security team rewarded $1500 for this issue, as it was reported through their bug bounty program.

About the author

Shubham Bhamare is an Indian security researcher, and entrepreneur from Maharastra, India.