Facebook has recently addressed an information disclosure vulnerability discovered by the security researcher Mohamed Baset that exposed page administrator.
According to Baset, the flaw is a “logical error” that he discovered after receiving an invitation to like a Facebook page on which he had liked a post.
“One day I liked one of the posts of a specific page but i didn’t liked or followed the page itself after a few days i got an email notification from facebook regarding an invitation to like the page that I did already liked one of its posts, I was amazed by the feature but I realized that this is a feature to target non-fans and i was wondering what could go wrong since this is a new feature ?” the blog states post published by the expert.
“From the investigations that i’m doing sometimes in the office of the fraud and phishing emails i’m always and blindly showing the “Original” of the message (that can be achieved by clicking on the little drop-down menu arrow beside the message reply button)” The researchers analyzed the source code of the email sent by the social network and discovered it includes the name of the administrator of the page and other info.
The researcher reported the issue to Facebook that acknowledged it and decided to award the expert $2,500 as part of its bug bounty program. Facebook announced to have paid out more than $880,000 for 400 vulnerability reports submitted by hackers. Many of you may consider that the issue is not so serious, but this isn’t true because under certain circumstance the data exposure could represent a threat to the users’ privacy In the case of business or community pages, revealing the identities of the administrators could get them targeted by messages and comments.
“For many individual Facebook pages, the administrator and the page will share an identity, so putting the admin’s name in the page’s email isn’t really giving away much. But for business or community pages, which might have a number of co-administrators, you wouldn’t expect Facebook to reveal anything more than the name of the page itself, at least not without asking.” reads the blog post published by Sophos. “If nothing else, this protects individual employees from getting bombarded with comments and questions – whether they’re praises or rants – in place of the account itself.”