Page Admin Disclosure — Meta Bug Bounty
2024-2-12 19:44:24 Author:查看原文) 阅读量:7 收藏

Rajiv Gyawali

InfoSec Write-ups

Hey, This is Rajiv Gyawali from Nepal, This blog is related to one of my finding on meta under it’s white hat program.

Here is the story — Facebook was newly launching it’s Profile+ pages, And only selected pages were transferred to new page experience, at that time one of my facebook friend invited me to follow her Page which was already converted to New page.

On invitation request there was something catchy, Normally for old classic pages we used to get invite notification like “Mr X invited you to like this page”, But in that case(New page), The invitation request was like “Mr X invited you to like/follow their page”.

A single word ‘Their’ was able to disclose the identity of admin to the person being invited, Meaning that if you are an admin of Page XYZ and you try to invite someone to like/follow your page, in that case you would expect fb to send normal usual notification but due to bug, it would disclose that you are an admin of that page.

The issue has already been resolved by meta and i am sharing this under reponsible disclosure policy.

I hope you enjoyed reading this writeup, you can get connected to me here on facebook.