Connect with us

Hi, what are you looking for?

Cyber Security

Teen hacker scoops $4,500 bug bounty for Facebook flaw that allowed attackers to unmask page admins

A 19-year-old hacker from Nepal has received a $4,500 bug bounty following their discovery of an easy-to-exploit vulnerability that allowed users to reveal the identity of page administrators.

Facebook Pages are used as engagement hubs for businesses, brands, and organizations. Distinct from Facebook Groups, where admins are always visible, the owners of these pages are kept hidden.

Vulnerable endpoint

After digging around in the Facebook-for-Android app, ethical hacker Sudip Shah discovered an insecure direct object reference (IDOR) vulnerability that could have allowed an attacker to disclose the identity of a page administrator.

For the exploit to work, the target page was required to have at least one Facebook Live video.

“While intercepting and navigating to any page’s live video section in Facebook Android, I found a vulnerable endpoint,” Shah told The Daily Swig.

“When the page_id in a request is changed to any page_id then the page admin is disclosed in the response in the broadcaster_id parameter.”

The researcher added: “This could be escalated further to fetch the admin information of a huge number of pages by creating a script… and capturing the admin information from the broadcaster_id in the response to a new text file.”

High impact

Discussing the potential impact of the vulnerability, Shah said: “Page and personal IDs are totally different things, and the page admin of any Facebook page is supposed to be kept unknown.

“This is a severe information disclosure bug if someone finds the admin’s personal account. For example, many celebrities and huge personalities operate through Facebook pages, so if their personal Facebook account is disclosed then it’s like getting their personal phone numbers, which is a great problem to their privacy.”

“I reported [the bug] to the Facebook security team on October 5, 2021, and they gave a ‘Nice find :)’ response and triaged my report on October 7, and told me to refrain from further testing.

“They fixed this vulnerability on October 21, and I got awarded $4,500 on November 5. I became really happy as it was my first high-impact bug that I found on Facebook.”

Responding to a query from The Daily Swig, a Meta spokesperson confirmed that the vulnerability has been fixed in Facebook’s Android app, and thanked the researcher for his coordinated disclosure.

Shah is currently ranked number 38 in Facebook’s bug bounty Hall of Fame. He has detailed his latest findings in a Medium post.

Source: https://portswigger.net/daily-swig/teen-hacker-scoops-4-500-bug-bounty-for-facebook-flaw-that-allowed-attackers-to-unmask-page-admins

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

A new report says a cyber threat actor within Russia’s military intelligence service leveraged a novel malware campaign targeting Android devices used by the...

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

NodeStealer, a newly discovered malware on Meta, was identified by Facebook as stealing browser cookies. Due to this vulnerability, threat actors can obtain illicit...

Cyber Security

ANALYSIS Weaknesses in the existing CVSS scoring system have been highlighted through new research, with existing metrics deemed responsible for “overhyping” some vulnerabilities. So-called “overinflated” ratings...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO