1st Facebook Bug Bounty | Disclose page’s admin to mod/admin of group | by nhiephon

1st Facebook Bug Bounty | Disclose page’s admin to mod/admin of group
nhiephon
Feb 2·2 min read
StoryThe cause of issue is that Facebook has unnecessary priority for page’s admin/mod. They can join the group without confirmation from group’s admin. I may not fully understand the issue, but fortunately I still get my first valid report.
<img alt="" class="fd em ei je w" src="https://miro.medium.com/max/1306/1*YOA70ya2c7l9HDKmLk1kvA.png" width="653" height="175" srcSet="https://miro.medium.com/max/552/1*YOA70ya2c7l9HDKmLk1kvA.png 276w, https://miro.medium.com/max/1104/1*YOA70ya2c7l9HDKmLk1kvA.png 552w, https://miro.medium.com/max/1280/1*YOA70ya2c7l9HDKmLk1kvA.png 640w, https://miro.medium.com/max/1306/1*YOA70ya2c7l9HDKmLk1kvA.png 653w" sizes="653px" role="presentation"/>
Summary from Facebook for my first valid reportReportTitle | Disclose page’s admin to mod/admin of group
Vuln Type | Other
Product Area | Groups
Description/Impact
Complete Details
If mod/admin of the group follows regularly, it is possible to know who is page’s admin if the page is linked to the group.
Impact
Disclose page’s admin
Repro Steps
Setup
===
Users: UserA, UserB, UserC
Environment:
+ PageX with owner UserA, analyst (or whatever) UserB
+ GroupOne with owner UserA, mod (or admin) UserC
Browser: N/A
App version: N/A
OS: N/A
Description: N/A
Steps
==
1. UserA create GroupOne and PageX; add analyst of PageX: UserB; add mod of GroupOne: UserC
2. UserC monitor “Activity Log”. (www.facebook.com/groups/GROUPID/admin_activities)
3. UserNormal and UserB join group
If a user is added by PageX but UserC are not notified (PageX auto accept UserB to join). It is a member of the Page’s admin group (UserB).
More detail after Facebook closed report as Informative
Hello, it seems you are misunderstanding the problem I want to report here. With the setting that only admin can accept members to join group, combined with the page’s admin will automatically join the group, then, if an user doesn’t need admin accept (no notification) but still have group access. We can confirm that it is an admin of the page.
I have taken a video to better describe the report.
UserB needs to incorporate “Activity Log” and “Member Requets” to be able to detect who is page’s admin.
PoC
https://www.youtube.com/watch?v=PmY9lQmcMLc
TimelineNovember 24, 2020: Report Sent
December 2, 2020: Closed as Informative by Facebook
December 2, 2020: Review Requested
December 5, 2020: Requested for more information by Facebook
December 7, 2020: Sent new PoC and more detail
December 11, 2020: Acknowledged by Facebook
January 18, 2021: Fixed and Bounty awarded by Facebook

1st Facebook Bug Bounty | Disclose page’s admin to mod/admin of group

Story

Report

Timeline

nhiephon

More from nhiephon

More From Medium

Hi, I’m a Guy Who Doesn’t Own a Bed Frame Giving You A Tour of My Shitty Apartment

I, Schrödinger’s Cat, Want You To Know That I Am Alive In This Box

Job Hunting Amidst the Impending Apocalypse? Try This Cover Letter Template!

Business Ideas Most Likely to Make Money in 2021

Other Primal Emotions Besides Love that Make a Subaru a Subaru

To The Gay Man Who Dumped Me, His Old Hag, For A Shiny New Ally

NFL Draft Prospect Or My Landlord Who Keeps Avoiding A Rent Freeze Discussion

I Am Your Google Drive, And I Am Overwhelmed