This write-up was also published here.
Soooo I was posting for a special event that happened in one of my organization’s pages. I upgraded that post through a prompt message, “It looks like something special happened. Want to make this post a life event?” when suddenly I noticed an unusual behavior; it disclosed myself as one of the page admins publicly, through my profile’s Life Events section by redirecting any Facebook user who visits my profile to such Page Post after clicking on it. Thus, implying I’m one of the page’s admins.
Steps to Replicate
- UserA = Account who manages a Facebook Page (page admin)
- UserB = Stalker/Attacker
Using UserA, create a public post on the Page you are managing. Make sure that such post is congratulatory-worthy or something that would pop out the Life Event message enabling such post to be upgraded.
[Still UserA’s perspective] Once already posted, notice a prompt message on top of it saying: “It looks like something special happened. Want to make this post a life event?” which is then giving me two options, one is “No Thanks” which declines the post being upgraded and the other is “Upgrade Post” that enables such post to be upgraded. Click on the “Upgrade Post” button and supply the necessary details.
[Still UserA’s perspective] Go to your profile’s About Section Life Events [base url/username/about?section=year-overviews] and notice that the Life Event you posted via your page is listed there or simply, go to your profile, scroll down to your Life Events section to verify.
[UserB’s perspective] UserB goes to UserA’s profile and clicks on any of UserA’s Life Events, it redirects UserB to the Page Post thereby validating/disclosing that UserA is an admin of that Page since it was linked to his or her personal account as a Life Event.
“This could have led to a page admin disclosure by upgrading a page post to a life event.” -Facebook
Proof of Concept
December 19, 2019 :: Report Submitted
January 09, 2020 :: Triaged after several discussions
“Hi Dan, Thanks for your patience and for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you updated on our progress. Thanks”
February 06, 2020 :: Fixed the bug
February 07, 2020 :: Bounty awarded ($3,000) and entered FB's 2019 Hall-of-Fame [Number 70]