Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Facebook Awards Big Bounties for Invisible Post and Account Takeover Vulnerabilities

One researcher said he earned $30,000 from Facebook for finding a vulnerability that could have been exploited to create invisible posts on any page. The same amount was paid out to a different researcher for an account hijacking flaw.

One researcher said he earned $30,000 from Facebook for finding a vulnerability that could have been exploited to create invisible posts on any page. The same amount was paid out to a different researcher for an account hijacking flaw.

Bug bounty hunter Pouya Darabi discovered in November that an attacker could have created invisible posts on any Facebook page, including verified pages, without having any permissions on the targeted page.

The researcher found the vulnerability while analyzing Creative Hub, a tool that allows Facebook users to create and preview ads for Facebook, Instagram or Messenger. Creative Hub enables users to collaborate on ad mockups and the ads can be previewed by creating an invisible post on the selected page.

These invisible posts have an ID and a link, but they are not visible on the page where they have been created — they can only be viewed by users who have the link.

Darabi discovered that changing the page_id parameter in a request sent when creating such an invisible post leads to the post being created on the Facebook page associated with the specified page_id. “All we need to do is to find the post_id that exists on any ad preview endpoints,” he explained.

However, when an invisible post is created to preview an ad, Facebook checks if the user has the permissions needed to post on the targeted page. The researcher bypassed this requirement by abusing the “Share” feature in Creative Hub, which creates a link that gives others access to the ad preview. The permission check was missing when this Share feature was used, enabling an attacker to create invisible posts on pages where they did not have any role.

This vulnerability could have been highly useful to malicious actors as it would have allowed them to create posts with any content — this includes scams and malicious links — on any Facebook page, making their posts more likely to be trusted by users. Darabi told SecurityWeek that an attacker could have easily shared the invisible post on Facebook groups, profiles and pages.

“These types of posts are not shown on the feed timeline but are accessible via a direct link,” Darabi explained in a blog post. “The main impact of these types of posts is that the page admins cannot view or delete them since they don’t have any links.”

Advertisement. Scroll to continue reading.

Darabi reported his findings to Facebook on November 6 and the social media giant implemented a fix within a week. However, the researcher managed to bypass the fix. He earned $15,000 for finding the vulnerability and another $15,000 for bypassing Facebook’s patch. The company said it had found no evidence of exploitation for malicious purposes.

Bug bounty hunter Youssef Sammouda also reported finding an interesting Facebook vulnerability recently. He also earned $30,000 from Facebook for a security flaw he reported to the company in November 2020.

Sammouda discovered a cross-site scripting (XSS) vulnerability on a subdomain for Facebook’s Oculus VR headsets, which ultimately allowed him to hijack both Oculus and Facebook accounts. The researcher published a blog post detailing his findings earlier this month.

Related: Email Address of Instagram Users Exposed via Facebook Business Suite

Related: Facebook Pays $60,000 for Vulnerability in Messenger for Android

Related: Facebook Awards Researcher $20,000 for Account Hijacking Vulnerability

Related: Facebook Announces Vulnerability Reporting and Disclosure Policy

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.