Patch. Bypass. Repeat: Story of a FaceBook Page Admin Disclosure bug worth $5000
This problem may have unintentionally exposed the identity of the Facebook admin page through the "Create doc" button. This is one of the most unique finds for me, because the bounty I got for this research was beyond my standards.
FaceBook is very cautious when it comes to the identity of a Page admin. However, I found a security vulnerability in Facebook that could have potentially allowed disclosure of a page admin's identity which could affect the neutrality and privacy of the platform.
The Setup
Let's talk about the setup and assumptions we are going to make to understand this vulnerability.
- Sarah, a Facebook user, is the admin of the Sarah Facebook Page
- The Sarah Page is linked to the Sarah's Facebook Group, and acts as its owner.
- Sarah did not want to be an admin of the FaceBook group because she did not want to expose her identity
- Sarah's Group has only one admin i.e. Sarah's Page. Sarah is just a member of that group and always act as page.
Steps to Reproduce the bug
- We have to start with, creating a doc in Sarah's Facebook Group using the "Create Doc" button.
- Uncheck the option "Allow group members to edit this document" before publishing this document. So that either the creator of the paper or the administrators would be able to edit the document.
- Now, acting as Sarah's Page, edit and publish this document.
- Upon checking the Edit History of this document, we will be able to determine who edited the document, and Sarah's name would come up.
How is this even a bug?
The point is – since we have only allowed Group admins or, document owners to make changes to the document – its easy for the Group members to determine the identity of the page admin – Sarah, through the Edit History feature.
Patch. Bypass. Repeat
This followed a patch, bypass and repeat cycle.When the team patched this problem related to the "Create doc" button that was present in the post editor, I subsequently found that there was another similar button on the "Files" tab that was also vulnerable.
When the team reviewed the second patch, they internally defined the third vector that could still be manipulated.
$5,000 Bounty
As a result of all the three vulnerabilities, the Facebook team rewarded $5,000 to me, which includes the vulnerability they found internally. This is why I love the FaceBook team so much!
Report Timeline
Oct 13, 2018: Report submitted to Facebook Security team
17 October 2018: pre-triaged
17 October 2018: Triaged
Oct 17, 2018: submit additional information about another insecure "Create doc" icon.
Feb 09, 2019: Vulnerabilities fully fixed
February 09, 2019: $5,000 in bug bounty given