Hi All, I am kunjan Nayak from Nepal, This write-up is about a security vulnerability which was discovered on Facebook, while liking a FB page using page inbox of FB4A (Facebook For Android) the action was always done as personal ID of page admin exposing the identity of page admin instead of page’s. The issue has been resolved and being published under responsible disclosure policy.

A page post which is created with a video using “Promote Your Page” feature, exactly similar to this “Post”. Misusing such posts, a malicious user can take advantage of this by creating such post and sharing the post to victim page via private messages which contains a “Like” button in order to receive Page likes from victim admin’s to expose their identity.

When the post link delivered to victim page inbox, and the attachment opened with FB4A app, there is option to like the attacker page via page “Like” button which appears in the link preview inside the page inbox leads to a security bug, when the like button is clicked, the action is done as page admin personal voice instead of page, as a result the page is liked from admin’s personal profile exposing the admin identity. Despite the admin is interacting as page by default in page inbox.

what is link preview?

Link previews are more eye-catching and clickable than plain URLs — by giving the link an image, title, description, and more, providing people with the specific information that’ll make them want to click.

An embedded like button in page inbox uses the page admin’s personal voice when clicked, disclosing their identity to the sender.

Setup
===
UserA admin of pageA

UserB admin of PageB using FB4A app to manage page messages.

Repro steps:

UserA share a link of a post that contains a page like button to PageB via private message.

2. UserB receives the link in his page inbox , by opening the attachment using page inbox of FB4A app or mobile version of FB android/iOS, he can see a “LIKE” button in the link preview.

3. PageB decides to Like the page, and clicks the page “Like” button but unintentionally the action is done as admin personal ID instead of page’s ID which leaks admin identity.

4. An admin opens his page inbox to like the page but the page is liked using admin’s personal ID exposing the identity the of page admin.

February 1, 2021: Report Sent.

February 11, 2021: Pre-Triaged.

February 11, 2021: Triaged.

March 4, 2021: Fixed.

March 9, 2021: Bounty Rewarded $xxx.

I bypassed this issue multiple times using same concept and received additional bounties for these i.e. $xxx +$xxx for two bypass making the total four digit $xxxx reward.

Additionally after third bypass, I can still bypass the patch since I had already identified three more new bypass to reproduce this issue but one of them got duplicated against FB internal work as the team was trying to fix this as a part holistic fix .

Finally I was not able to report the rest bypasses because after multiple bypass, the team applied a long term fix and the link preview feature is permanently disabled from FB4A page inbox, since the link preview was the main cause of this issue and now whenever the post or link is shared to page’s inbox then link preview does not appears on FB4A or mobile version of FB(m.facebook.com) page inboxes.

However, it was very disappointing and I was unlucky at that time because this report is exactly similar to this “Report” having same concept. which received higher bounty in the past, but FB had changed their payout decision in between on this kind of issue which includes a page inbox for admin disclosure that’s why I had received a lowered payout.

Asked for reasonable Explanation on this.

Asked for payout reassessment by referencing exactly similar reports which was reported in past .

But according to FB policy “We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future.”

The Similar Report

https://servicenger.com/blog/mobile/facebook-page-admin-disclosure/

And FB replied, “Regarding the other report linked (past reports), that one was a good while ago, so it won’t be applicable, as we’ve changed our stance in between”. After this I left this report and moved on!!!.

See you soon ;) with Next write-up, my first Valid bug on Facebook still not fixed “Story of my 1st valid bug on Facebook” .

You can reach out to me on Facebook , twitter :)