Published On: 16 May 2019
Disclose page admins for any Facebook page
Privacy/Authentication
Facebook | Web
---
HIGH VALIDDescription
An option in Facebook pages called “canvas“ , this option allows us to create a simple form and then we can preview it on our mobile phone or send it to any admins in our Facebook page , so we will use this option to disclose admins for any Facebook Page.
Impact
This could have let a malicious user view the list of admins of any page.
Reproduction Steps
Step
1
Setup :
- Create any facebook page
-Victim page ID
Step
2
Step
3
Step
4
Step
5
Typeahead search is appeared
This will search in your page admin so Type anything and Intercept the request
Step
6
This is the request ( Click on show image )
so change the page_id parameter to the Victim page ID and leave the parameter value empty (to tell the server to fetch all the admins on the page )
/ads/canvas_preview_typehead/?page_id=Victim_id&value=
Step
7
So server will reply with
UniqueId = Admin ID
Title = Admin name :)
simply and as you know open the following url www.facebook.com/uniqueID
and you will redirect to the admin profile :)
Why this is a critical bug ?
This bug is critical and serious , as you know admins names are very sensitive and classified information . Page owners are with hidden identities and sometimes it's very dangerous to reveal this identity especially when governments are seeking to find it . Facebook do not accept governments request to give them this classified information (if governments succeed in getting these names , they will sue and maybe they imprison them ) Governments or maybe mafias are seeking to buy this kind of serious bugs in the DEEP WEB .
Videos