Kassem Bazzoun

Published On: 05 May 2019

Spoofing identity of user tagging someone in a video

Facebook | Web

Attacker is able to impersonate users identity when the attacker tag his friends or ( friends of friend s ) on the victim videos . A wrong notification reached the user tagged , where this notification is sent on behalf of the owner of the video ( Victim ) . This attack took place when the attacker use the Business Manager Token an d make the tag using the GRAPH API

Show Image


Spoofing identity of user tagging someone in a video .

Reproduction Steps


Stephen Uploaded a video on his Timeline ( public video )

Show Image


Kassemthe attacker tagged his friend Sarmad on Stephen Video using a business token in theGraph API Explorer

Access Token : Business Manager Token  (436761779744620 : Business Manager)

POST RequestV3.2Vide_ID/tags(Stephen Video ID102576690882894).

Parameter :tag_uid (friendID that we wants to tag himIn our test - Sarmad account ID) .

Note:  Kassem(attacker) is able to tag on Stephen (victim) Video because the Video is public and Kassem and Stephen has at least 1 mutual friend

Show Image


A notification reached Sarmad that Stephen(Victim) tagged him although Kassem(Attacker) is the tagger ( the notification is sent from the wrong user *from the owner of the video * )

Attacker have the permission to tag his friends on Victim videos although there is no relationship between the victim(owner ofthe video ) and the attacker friends( friends tagged by the attacker ) . 

Show Image


Kassem impersonate Stephen Identity where Sarmad though that Stephen who tagged him although Kassem who makes this tag


Kassem 10 Feb 2019

Initial Report

Facebook 13 Feb 2019

Pre-triage Thank you for your submission. We've managed to reproduce your report and will get back to you once we have had a chance to investigate.

Facebook 18 Feb 2019

Need more information We're having a hard time reproducing the issue described in your report. Please reply with reproduction instructions (images and video would be h ... See More

Kassem 19 Feb 2019

Sending additional information

Facebook 19 Feb 2019

Not able to reproduce Please see the attached screenshots showing the business manager token and the notification that's generated. Please let me know if you have any ... See More

Kassem 21 Feb 2019

found the issue when the Attacker and Victim are friends ( Kassem and stephen ) and then kassem tag sarmad , the notification will sent from the correct user and ... See More

Facebook 21 Mar 2019

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

Facebook 05 Apr 2019

Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

Kassem 05 Apr 2019


Facebook 03 May 2019

Bounty Awarded After reviewing this issue, we have decided to award you... . Below is an explanation of the bounty amount. Facebook fulfills its bounty awards t ... See More