The cause of issue is that Facebook has unnecessary priority for page’s admin/mod. They can join the group without confirmation from group’s admin. I may not fully understand the issue, but fortunately I still get my first valid report.
Title | Disclose page’s admin to mod/admin of group
Vuln Type | Other
Product Area | Groups
If mod/admin of the group follows regularly, it is possible to know who is page’s admin if the page is linked to the group.
Disclose page’s admin
Users: UserA, UserB, UserC
+ PageX with owner UserA, analyst (or whatever) UserB
+ GroupOne with owner UserA, mod (or admin) UserC
App version: N/A
1. UserA create GroupOne and PageX; add analyst of PageX: UserB; add mod of GroupOne: UserC
2. UserC monitor “Activity Log”. (www.facebook.com/groups/GROUPID/admin_activities)
3. UserNormal and UserB join group
If a user is added by PageX but UserC are not notified (PageX auto accept UserB to join). It is a member of the Page’s admin group (UserB).
More detail after Facebook closed report as Informative
Hello, it seems you are misunderstanding the problem I want to report here. With the setting that only admin can accept members to join group, combined with the page’s admin will automatically join the group, then, if an user doesn’t need admin accept (no notification) but still have group access. We can confirm that it is an admin of the page.
I have taken a video to better describe the report.
UserB needs to incorporate “Activity Log” and “Member Requets” to be able to detect who is page’s admin.
November 24, 2020: Report Sent
December 2, 2020: Closed as Informative by Facebook
December 2, 2020: Review Requested
December 5, 2020: Requested for more information by Facebook
December 7, 2020: Sent new PoC and more detail
December 11, 2020: Acknowledged by Facebook
January 18, 2021: Fixed and Bounty awarded by Facebook