Admin Credentials of Facebook Pages Revealed by a Simple Bug


Security scientist Mohamed Baset has discovered a vulnerability that reveals confidential knowledge of Facebook users. However, solely directors of Facebook pages are affected. Your knowledge can get accidentally sent by the social network big Facebook via email notifications to users UN agency aren’t friends with the administrator.

Image credits:

The error that the social network big Facebook has currently removed happens once a user likes to “Like” a post on a Facebook page, however, doesn’t follow the page. In this case, the page administrator will invite the user to follow not solely the post however additionally the page by a “Like”.

Simple Bug in Facebook Revealing Admin Details

The invite sent by e-mail attracted the eye of the scientist. Inside minutes, he found within the header of the message not solely the name of the page in question however additionally the name of the associated administrator and alternative personal details. per his bug timeline, it solely took 3 minutes between receiving the e-mail and causation the bug report back to the social network big Facebook.

In a diary post, Baset aforementioned he found the vulnerability, that he delineate as a “logical error,” when receiving asking to love a specific Facebook page on that he had antecedently liked a post.

Facebook has introduced a feature for page admins whereby they will send Facebook invites to users asking them if they wanted to love their page when feeling a post, and a couple of days later, these interacted users could receive the associate email reminding them of the invite.

After Baset received one such email invite, he merely opened “show original” menu choice in the email. Staring at the email’s ASCII text file, he noticed that it enclosed the page administrator’s name, admin ID and alternative details.

The scientist then in real time according to the difficulty to the Facebook Security Team through its Bugcrowd bug bounty program. the corporate acknowledged the bug and awarded Baset $2,500 for his findings. Though Facebook has currently patched this info speech act issue, folks that have already received one such page invite will still establish admin details from the invite emails.

We were ready to perceive that page invites sent to non-friends could unknowingly embrace the name of the page administrator UN agency sent the invite. we’ve got resolved the underlying drawback and future emails won’t contain this info,” the social network big Facebook’s response to Baset.

The scientist additionally rewarded by the social network big Facebook a hefty quantity of $2,500. per him, it absolutely was the second time that he discovered an error on Facebook, while not having to put in writing one line of code.


Please enter your comment!
Please enter your name here