He received $30,000 from Facebook for discovering a loophole that could have been used to create invisible posts on any website, one researcher said. The same amount for an account hijacking vulnerability was paid out to a separate researcher.
In November, bug bounty hunter Pouya Darabi discovered that an intruder could generate invisible posts on any Facebook page, including authenticated pages, without any permission on the targeted page.
When reviewing Innovative Hub, a service that allows Facebook users to build and preview advertisements for Facebook, Instagram or Messenger, the investigator found the flaw. Creative Hub helps users to work on ad mockups and, by making an invisible post on the chosen website, the advertisements can be previewed.
These invisible posts have an ID and a link, but they are not accessible on the page where they were created; only users who have the link can access them.
Darabi discovered that when making such an invisible post, modifying the page id parameter in a request sent leads to the post being created on the Facebook page associated with the page id specified. “All we need to do is find the post-id that exists on any endpoint for ad preview,” he explained.
However, Facebook tests if the user has the credentials required to post on the targeted page when an invisible post is created to preview an ad. In exploiting the “Share” feature in Creative Hub, which provides a connection that allows others access to the ad preview, the researcher bypassed this prerequisite. When this Sharing function was used, the permission check was absent, allowing an intruder to make invisible posts on pages where they didn’t have any position.
This vulnerability may have been incredibly useful for malicious actors because it would have allowed them to produce posts on any Facebook page with any content, including scams and malicious links, making their posts more likely to be trusted by users. Darabi told that on Facebook forums, accounts and sites, an intruder might have easily spread the invisible message.
“In a blog post, Darabi explained, “These types of posts are not seen on the feed timeline but are available through a direct connection. “The main impact of these types of posts is that, since they have no links, the page administrators can not view or delete them.”
On November 6, Darabi posted his results to Facebook and a patch was introduced within a week by the social media giant. The researcher did, however, manage to circumvent the patch. For discovering the flaw, he won $15,000 and another $15,000 for bypassing Facebook’s fix. The group said it had found no proof of violence for malicious reasons.
Bug bounty hunter Youssef Sammouda has also recently mentioned discovering an odd flaw on Facebook. He also won Facebook $30,000 for a vulnerability bug that he disclosed to the firm in November 2020.
On a subdomain for Facebook’s Oculus VR headsets, Sammouda found a cross-site scripting (XSS) loophole, which eventually allowed him to hijack both Oculus and Facebook accounts. The researcher wrote a blog post earlier this month describing his observations.