One researcher said he earned $30,000 from Facebook for finding a vulnerability that could have been exploited to create invisible posts on any page. The same amount was paid out to a different researcher for an account hijacking flaw.
Bug bounty hunter Pouya Darabi discovered in November that an attacker could have created invisible posts on any Facebook page, including verified pages, without having any permissions on the targeted page.
The researcher found the vulnerability while analyzing Creative Hub, a tool that allows Facebook users to create and preview ads for Facebook, Instagram or Messenger. Creative Hub enables users to collaborate on ad mockups and the ads can be previewed by creating an invisible post on the selected page.
These invisible posts have an ID and a link, but they are not visible on the page where they have been created — they can only be viewed by users who have the link.
Darabi discovered that changing the page_id parameter in a request sent when creating such an invisible post leads to the post being created on the Facebook page associated with the specified page_id. “All we need to do is to find the post_id that exists on any ad preview endpoints,” he explained.
However, when an invisible post is created to preview an ad, Facebook checks if the user has the permissions needed to post on the targeted page. The researcher bypassed this requirement by abusing the “Share” feature in Creative Hub, which creates a link that gives others access to the ad preview. The permission check was missing when this Share feature was used, enabling an attacker to create invisible posts on pages where they did not have any role.
This vulnerability could have been highly useful to malicious actors as it would have allowed them to create posts with any content — this includes scams and malicious links — on any Facebook page, making their posts more likely to be trusted by users. Darabi told SecurityWeek that an attacker could have easily shared the invisible post on Facebook groups, profiles and pages.
“These types of posts are not shown on the feed timeline but are accessible via a direct link,” Darabi explained in a blog post. “The main impact of these types of posts is that the page admins cannot view or delete them since they don’t have any links.”
Darabi reported his findings to Facebook on November 6 and the social media giant implemented a fix within a week. However, the researcher managed to bypass the fix. He earned $15,000 for finding the vulnerability and another $15,000 for bypassing Facebook’s patch. The company said it had found no evidence of exploitation for malicious purposes.
Bug bounty hunter Youssef Sammouda also reported finding an interesting Facebook vulnerability recently. He also earned $30,000 from Facebook for a security flaw he reported to the company in November 2020.
Sammouda discovered a cross-site scripting (XSS) vulnerability on a subdomain for Facebook’s Oculus VR headsets, which ultimately allowed him to hijack both Oculus and Facebook accounts. The researcher published a blog post detailing his findings earlier this month.
Related: Email Address of Instagram Users Exposed via Facebook Business Suite
Related: Facebook Pays $60,000 for Vulnerability in Messenger for Android
Related: Facebook Awards Researcher $20,000 for Account Hijacking Vulnerability
Related: Facebook Announces Vulnerability Reporting and Disclosure Policy

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
