nhiephon
About
About

1st Facebook Bug Bounty | Disclose page’s admin to mod/admin of group

nhiephon

Feb 2·2 min read

Story

The cause of issue is that Facebook has unnecessary priority for page’s admin/mod. They can join the group without confirmation from group’s admin. I may not fully understand the issue, but fortunately I still get my first valid report.

Summary from Facebook for my first valid report

Report

Title | Disclose page’s admin to mod/admin of group

Vuln Type | Other

Product Area | Groups

Description/Impact

Complete Details
If mod/admin of the group follows regularly, it is possible to know who is page’s admin if the page is linked to the group.

Impact
Disclose page’s admin

Repro Steps

Setup
===
Users: UserA, UserB, UserC
Environment:
+ PageX with owner UserA, analyst (or whatever) UserB
+ GroupOne with owner UserA, mod (or admin) UserC
Browser: N/A
App version: N/A
OS: N/A
Description: N/A

Steps
==
1. UserA create GroupOne and PageX; add analyst of PageX: UserB; add mod of GroupOne: UserC
2. UserC monitor “Activity Log”. (www.facebook.com/groups/GROUPID/admin_activities)
3. UserNormal and UserB join group

If a user is added by PageX but UserC are not notified (PageX auto accept UserB to join). It is a member of the Page’s admin group (UserB).

More detail after Facebook closed report as Informative

Hello, it seems you are misunderstanding the problem I want to report here. With the setting that only admin can accept members to join group, combined with the page’s admin will automatically join the group, then, if an user doesn’t need admin accept (no notification) but still have group access. We can confirm that it is an admin of the page.

I have taken a video to better describe the report.
UserB needs to incorporate “Activity Log” and “Member Requets” to be able to detect who is page’s admin.

PoC

https://www.youtube.com/watch?v=PmY9lQmcMLc

Timeline

November 24, 2020: Report Sent
December 2, 2020: Closed as Informative by Facebook
December 2, 2020: Review Requested
December 5, 2020: Requested for more information by Facebook
December 7, 2020: Sent new PoC and more detail
December 11, 2020: Acknowledged by Facebook
January 18, 2021: Fixed and Bounty awarded by Facebook

About

Help

Legal

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store