Security Experts:

Connect with us

Hi, what are you looking for?



Facebook Awards Big Bounties for Invisible Post and Account Takeover Vulnerabilities

One researcher said he earned $30,000 from Facebook for finding a vulnerability that could have been exploited to create invisible posts on any page. The same amount was paid out to a different researcher for an account hijacking flaw.

One researcher said he earned $30,000 from Facebook for finding a vulnerability that could have been exploited to create invisible posts on any page. The same amount was paid out to a different researcher for an account hijacking flaw.

Bug bounty hunter Pouya Darabi discovered in November that an attacker could have created invisible posts on any Facebook page, including verified pages, without having any permissions on the targeted page.

The researcher found the vulnerability while analyzing Creative Hub, a tool that allows Facebook users to create and preview ads for Facebook, Instagram or Messenger. Creative Hub enables users to collaborate on ad mockups and the ads can be previewed by creating an invisible post on the selected page.

These invisible posts have an ID and a link, but they are not visible on the page where they have been created — they can only be viewed by users who have the link.

Darabi discovered that changing the page_id parameter in a request sent when creating such an invisible post leads to the post being created on the Facebook page associated with the specified page_id. “All we need to do is to find the post_id that exists on any ad preview endpoints,” he explained.

However, when an invisible post is created to preview an ad, Facebook checks if the user has the permissions needed to post on the targeted page. The researcher bypassed this requirement by abusing the “Share” feature in Creative Hub, which creates a link that gives others access to the ad preview. The permission check was missing when this Share feature was used, enabling an attacker to create invisible posts on pages where they did not have any role.

This vulnerability could have been highly useful to malicious actors as it would have allowed them to create posts with any content — this includes scams and malicious links — on any Facebook page, making their posts more likely to be trusted by users. Darabi told SecurityWeek that an attacker could have easily shared the invisible post on Facebook groups, profiles and pages.

“These types of posts are not shown on the feed timeline but are accessible via a direct link,” Darabi explained in a blog post. “The main impact of these types of posts is that the page admins cannot view or delete them since they don’t have any links.”

Darabi reported his findings to Facebook on November 6 and the social media giant implemented a fix within a week. However, the researcher managed to bypass the fix. He earned $15,000 for finding the vulnerability and another $15,000 for bypassing Facebook’s patch. The company said it had found no evidence of exploitation for malicious purposes.

Bug bounty hunter Youssef Sammouda also reported finding an interesting Facebook vulnerability recently. He also earned $30,000 from Facebook for a security flaw he reported to the company in November 2020.

Sammouda discovered a cross-site scripting (XSS) vulnerability on a subdomain for Facebook’s Oculus VR headsets, which ultimately allowed him to hijack both Oculus and Facebook accounts. The researcher published a blog post detailing his findings earlier this month.

Related: Email Address of Instagram Users Exposed via Facebook Business Suite

Related: Facebook Pays $60,000 for Vulnerability in Messenger for Android

Related: Facebook Awards Researcher $20,000 for Account Hijacking Vulnerability

Related: Facebook Announces Vulnerability Reporting and Disclosure Policy

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.