A 19-year-old hacker from Nepal has received a $4,500 bug bounty following their discovery of an easy-to-exploit vulnerability that allowed users to reveal the identity of page administrators.
Facebook Pages are used as engagement hubs for businesses, brands, and organizations. Distinct from Facebook Groups, where admins are always visible, the owners of these pages are kept hidden.
Vulnerable endpoint
After digging around in the Facebook-for-Android app, ethical hacker Sudip Shah discovered an insecure direct object reference (IDOR) vulnerability that could have allowed an attacker to disclose the identity of a page administrator.
For the exploit to work, the target page was required to have at least one Facebook Live video.
“While intercepting and navigating to any page’s live video section in Facebook Android, I found a vulnerable endpoint,” Shah told The Daily Swig.
“When the page_id in a request is changed to any page_id then the page admin is disclosed in the response in the broadcaster_id parameter.”
The researcher added: “This could be escalated further to fetch the admin information of a huge number of pages by creating a script… and capturing the admin information from the broadcaster_id in the response to a new text file.”
High impact
Discussing the potential impact of the vulnerability, Shah said: “Page and personal IDs are totally different things, and the page admin of any Facebook page is supposed to be kept unknown.
“This is a severe information disclosure bug if someone finds the admin’s personal account. For example, many celebrities and huge personalities operate through Facebook pages, so if their personal Facebook account is disclosed then it’s like getting their personal phone numbers, which is a great problem to their privacy.”
“I reported [the bug] to the Facebook security team on October 5, 2021, and they gave a ‘Nice find :)’ response and triaged my report on October 7, and told me to refrain from further testing.
“They fixed this vulnerability on October 21, and I got awarded $4,500 on November 5. I became really happy as it was my first high-impact bug that I found on Facebook.”
Responding to a query from The Daily Swig, a Meta spokesperson confirmed that the vulnerability has been fixed in Facebook’s Android app, and thanked the researcher for his coordinated disclosure.
Shah is currently ranked number 38 in Facebook’s bug bounty Hall of Fame. He has detailed his latest findings in a Medium post.