Rony K Roy

Published On: 19 Sep 2023

Anonymous post owner disclosure

Privacy/Authentication
Facebook | Android
---
LOW VALID
Description

Facebook Groups offer an anonymous posting feature.Users can create anonymous posts and engage anonymously with commenters.However, if they reply to comments or like comments beneath their anonymous post using Facebook Lite, other group members can unveil their identity by accessing their group profile (www.facebook.com/groups/group_id/user/user_id). In the Recent Activity section, comments made anonymously will be shown with the post owner's profile picture and real name

Impact

Group members can reveal the identity of an anonymous post owner if they used Facebook Lite to respond to comments under the post




Reproduction Steps

Step
1

FBDL run: 2566222610194053

Script:
[setup]
User UserOne
User UserTwo
User UserThree
User UserFour
Group GroupOne with {privacy: public, owner: UserOne, members: [UserTwo, UserThree, UserFour]}

[action]
UserTwo make_anonymous_post AnonPostOne with {group: GroupOne, approved_by: UserOne}

Step
2

Set up

 

1. UserOne
2. UserTwo
3. UserThree
4. UserFour
5. GroupOne with {privacy: public, owner: UserOne, members: [UserTwo, UserThree, UserFour]}

Step
3

  1. Log in as UserTwo using the desktop version.
  2. Go to GroupOne and create an anonymous post. Approve the post as UserOne (AnonymousPostOne).
  3. Log in as UserThree.
  4. Navigate to GroupOne/AnonymousPostOne and add a comment (CommentOne).
  5. Using the latest version of Facebook Lite for Android, log in as UserTwo.
  6. Visit GroupOne/AnonymousPostOne.
  7. Reply with "Test123" to CommentOne.
  8. Log in as UserThree using the desktop version.
  9. Go to GroupOne/Members.
  10. Click on UserTwo's name.
  11. Scroll down to Recent Activity, where you will see that UserTwo created the comment "Test123" and is also the post owner.

Videos

Timeline
.
Rony 17 Aug 2023

Reported

.
Facebook 22 Aug 2023

Closed As N/A Hi Rony, Thanks for contacting us. First of all the author of the post should not expect to be interacting as anonymous member on fb lite, anony ... See More

.
Rony 23 Aug 2023

Review requested "First of all the author of the post should not expect to be interacting as anonymous member on fb lite, anonymous posts are not supported on fbl ... See More

.
Rony 23 Aug 2023

Sent more details "Additionally from other member of the group point of view, the comment is made by a simple member of the group, they cannot know it's made by th ... See More

.
Facebook 13 Sep 2023

Closed as Informative Hi Rony, Thanks again for your report. We have discussed at length and in the scenario you reported (https://youtu.be/sBHJ3QDZZrQ), the user has ... See More

.
Rony 19 Sep 2023

Sent more details Hi Samuel, Thank you for your reply. Could you have a look at the updated POC video (https://youtu.be/3x75cNkB_fY?si=uh-bs5lBLqrcPn8S)? You can ... See More

.
Facebook 19 Sep 2023

Closed as Informative As we have made Meta's position on this report clear, we will no longer be sending updates regarding it. Thank you again for contacting us, and p ... See More

.
Facebook 20 Sep 2023

Triaged Hi Rony, Thanks again for your report. We apologize for the mistake, I didn't understood properly the issue with your first proof of concept, i ... See More

.
Facebook 27 Sep 2023

Bounty Awarded

.
Facebook 20 Oct 2023

Fixed

VALID






Show All Images