Mohammad Atwi

Published On: 16 May 2019

Disclose page admins for any Facebook page

Facebook | Web

An option in Facebook pages called “canvas“ , this option allows us to create a simple form and then we can preview it on our mobile phone or send it to any admins in our Facebook page , so we will use this option to disclose admins for any Facebook Page.


This could have let a malicious user view the list of admins of any page.

Reproduction Steps


Setup :

- Create any facebook page

-Victim page ID


Open your page and go to the “Settings“tab

Show Image


Enter the “ Publishing Tools ” and then open the “ canvas “ tab in the left side .

Show Image


After creating the canvas ,  go to the  share button  

Show Image


Typeahead search is appeared 

This  will search in your page admin so Type anything and Intercept the request

Show Image


This is the request ( Click on show image ) 

so change the page_id parameter to the Victim page ID and leave the parameter value empty (to tell the server to fetch all the admins on the page ) 


Show Image


So server will reply with

UniqueId =  Admin ID 

Title = Admin name :) 

simply and as you know open the following url

and you will redirect to the admin profile :) 

Show Image

Why this is a critical bug ?

This bug is critical and serious , as you know admins names are very sensitive and classified information . Page owners are with hidden identities and sometimes it's very dangerous to reveal this identity especially when governments are seeking to find it . Facebook do not accept governments request to give them this classified information (if governments succeed in getting these names , they will sue and maybe they imprison them ) Governments or maybe mafias are seeking to buy this kind of serious bugs in the DEEP WEB .


Mohammad 26 Oct 2017

Initial Report

Facebook 30 Oct 2017

Triaged Nice catch :) We have confirmed the issue. We are sending it to the appropriate product team for further investigation. We will keep you updated ... See More

Facebook 01 Dec 2017

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. Please follow up with us if you believe that the patch does n ... See More

Mohammad 01 Dec 2017

Fix Confirmation " This content is no longer available","errorDescription":"The content you requested cannot be displayed right now. It may be temporarily unavail ... See More

Facebook 06 Dec 2017

Bounty awarded This could have let a malicious user view the list of admins of any page.