Marcos Ferreira

Published On: 27 Dec 2022

$500

Page owner unable to remove user's access on a Facebook page

Other
Facebook | Web
---
LOW VALID
Description

If a user with full control or partial access to an NPE (New Pages Experience) page enrolls their account in a security epsilon checkpoint, the page owner may not be able to remove them as an administrator.

Impact

This could allow the malicious user to retain access to the page.




Reproduction Steps

Step
1

FBDL code:

[setup]
User UserOne
User UserTwo
Page PageOne with {owner: UserOne, analysts: [UserTwo]} #npe page
[action]
UserTwo add_checkpoint UserTwo with {checkpoint: Epsilon}

Step
2

UserOne will not be able to remove or change UserTwo's role on the page.

Timeline
.
Marcos 18 May 2022

Initial Report

.
Facebook 25 May 2022

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation

.
Facebook 08 Jun 2022

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched

.
Facebook 09 Jun 2022

Bounty awarded You identified that in New Pages Experience, a page owner cannot remove someone's access if that user is enrolled in a checkpoint.

VALID






Show All Images