Facebook Awards Big Bounties for Invisible Post and Account Takeover Vulnerabilities

One researcher said he earned $30,000 from Facebook for finding a vulnerability that could have been exploited to create invisible posts on any page. The same amount was paid out to a different researcher for an account hijacking flaw.

Bug bounty hunter Pouya Darabi discovered in November that an attacker could have created invisible posts on any Facebook page, including verified pages, without having any permissions on the targeted page.

The researcher found the vulnerability while analyzing Creative Hub, a tool that allows Facebook users to create and preview ads for Facebook, Instagram or Messenger. Creative Hub enables users to collaborate on ad mockups and the ads can be previewed by creating an invisible post on the selected page.

These invisible posts have an ID and a link, but they are not visible on the page where they have been created — they can only be viewed by users who have the link.

Darabi discovered that changing the page_id parameter in a request sent when creating such an invisible post leads to the post being created on the Facebook page associated with the specified page_id. “All we need to do is to find the post_id that exists on any ad preview endpoints,” he explained.

However, when an invisible post is created to preview an ad, Facebook checks if the user has the permissions needed to post on the targeted page. The researcher bypassed this requirement by abusing the “Share” feature in Creative Hub, which creates a link that gives others access to the ad preview. The permission check was missing when this Share feature was used, enabling an attacker to create invisible posts on pages where they did not have any role.

This vulnerability could have been highly useful to malicious actors as it would have allowed them to create posts with any content — this includes scams and malicious links — on any Facebook page, making their posts more likely to be trusted by users. Darabi told SecurityWeek that an attacker could have easily shared the invisible post on Facebook groups, profiles and pages.

“These types of posts are not shown on the feed timeline but are accessible via a direct link,” Darabi explained in a blog post. “The main impact of these types of posts is that the page admins cannot view or delete them since they don’t have any links.”

Darabi reported his findings to Facebook on November 6 and the social media giant implemented a fix within a week. However, the researcher managed to bypass the fix. He earned $15,000 for finding the vulnerability and another $15,000 for bypassing Facebook’s patch. The company said it had found no evidence of exploitation for malicious purposes.

Bug bounty hunter Youssef Sammouda also reported finding an interesting Facebook vulnerability recently. He also earned $30,000 from Facebook for a security flaw he reported to the company in November 2020.

Sammouda discovered a cross-site scripting (XSS) vulnerability on a subdomain for Facebook’s Oculus VR headsets, which ultimately allowed him to hijack both Oculus and Facebook accounts. The researcher published a blog post detailing his findings earlier this month.

Related: Email Address of Instagram Users Exposed via Facebook Business Suite

Related: Facebook Pays $60,000 for Vulnerability in Messenger for Android

Related: Facebook Awards Researcher $20,000 for Account Hijacking Vulnerability

Related: Facebook Announces Vulnerability Reporting and Disclosure Policy