Facebook pages have become the easiest way for many brands, products, movies, celebrities, etc., to get started marketing on Facebook. There are already several hundred thousands of pages on Facebook with millions of users altogether. These pages were usually maintained by people called ‘Page admins’ who regularly posts updates on the page.
Facebook Page admins’ profiles are usually anonymous, so as to protect themselves from getting bombarded with comments and questions, whether they’re praises or rants in place of the account itself. They are publicly displayed only if admins have chosen to feature their profiles. For business or community pages, which might have a number of co-administrators, you wouldn’t expect Facebook to reveal anything more than the name of the page itself. However, there are some situations where you might want to contact a Facebook page admin or want to find out who the owner of a Facebook page is!
A Mexican security researcher recently discovered a severe information disclosure vulnerability in Facebook that could have allowed anyone to expose Facebook page administrator profiles, which is otherwise not supposed to be public information.
It all started when Facebook introduced a great feature for page admins to target the audience ‘who liked the specific post of their page but not the page itself’ to like the page by sending invitations to users asking them if they wished to like their page. A few days later, these interacted users may receive an autogenerated email reminding them of the invitation.
Mohamed A. Baset, the founder of cybersecurity firm Seekurity, received one such email invite, asking him to like a Facebook page on which he had previously liked a post. Looking at the email’s source code, the researcher noticed that it included the name of the page’s administrator and other details.
The researcher then immediately reported the issue to the Facebook Security Team through its Bugcrowd bug bounty program. The company acknowledged the bug and awarded him $2,500 for his findings.
Baset in his blog post claims to have discovered the bug within a few minutes of receiving an invitation, (i.e., in just 2’18”) without any kind of testing or proof of concepts, or any other type of time-consuming processes.
Baset described the bug as a “logical error” in an auto-generated email sent on behalf of a Facebook page. However, Facebook has now patched this information disclosure vulnerability that exposed page administrators.
In a statement, Facebook admitted there was a problem but claimed the bug had been patched.
“We were able to verify that under some circumstances page invitations sent to non-friends would inadvertently reveal the name of the page admin which sent them. We’ve addressed the root cause here, and future emails will not contain that information.”
Though Facebook has now patched this information disclosure issue, people who have already received one such page invitation can still find out admin details from the invitation emails.