Discovery and post-fix bypass earn bug hunter two $15k payouts

A security researcher has netted $30,000 in bug bounties after demonstrating how to create hidden posts on any Facebook page without authorization – before promptly bypassing the company’s initial bug fix.

An attacker exploiting the flaw could then “share a post in another group/person/page” and “the post will be displayed” as originating “from the victim’s page”, Pouya Darabi told The Daily Swig.

They could even implant malicious posts on pages verified by Facebook. “People trust these pages because they know they are officially approved,” said the researcher.

Citing Facebook’s very own social media page as vulnerable, he added: “The user can be sure of the site address (it’s facebook.com) and clicking on the page, [they] will go to the official Facebook page again, so there is no doubt” about the page’s legitimacy.

Darabi was awarded payouts of $15,000 for each exploit, which leveraged a critical security vulnerability in Facebook’s Creative Hub.

Marketers can mock up ads in Creative Hub and create ‘invisible’ posts – meaning they are not publicly visible on the Facebook page – in order to preview and share the ads privately with colleagues, via a direct link, prior to distribution.

Helpless admins

“The page admins cannot view or delete them since they don’t have any links,” noted Darabi in a blog post outlining his discovery.

After creating an invisible post on his own Facebook page, the researcher then intercepted Facebook’s request to create the post and switched the page_id to that of his hypothetical victim’s page. The change was duly saved “without any error or issue”.

That “the permission was checked before generating the preview” indicated that Facebook had deemed Darabi to have a legitimate advertiser role for the target page.

“After clicking on the share button” – a recently added Creative Hub feature for sharing mockup previews with colleagues – “the API will answer with a new shareable URL like this: https://www.facebook.com/ads/previewer/__PREVIEW_KEY__,” continued the researcher.


RELATED Oculus, Facebook account takeovers net security researcher $30,000 bug bounty


“The gotcha is that the permission-check is missing before generating a preview post on the share page.

“Changing page_id before saving the mockup in [a] GraphQL request and then getting back the sharable link for it, gives us the ability to create a post on any page.

“All we need to do is to find the post_id that exists on any ad preview endpoints,” added Darabi.

“Finally, we created an invisible post on the victim page without their knowledge!”

The sharing feature also “allows us to do the attack without sending a link,” the researcher told The Daily Swig.

Foiling the fix

Darabi then circumvented Facebook’s fix with a request – AsyncRequest.post('/ads/previewer/notify_mobile/__PREVIEW_KEY__',{}) – that created a post page and sent a notification to his mobile device.

The ‘send to mobile’ feature then created “a preview again without checking permission”.

Darabi has produced proof-of-concept videos for both the initial exploit and post-fix bypass.


Read more of the latest bug bounty news

‘No evidence of abuse’

The researcher alerted Facebook to the flaw on November 6 and the first fix was implemented on November 11.

After being notified of the subsequent bypass on November 12, the advertising and social media giant rolled out a final remedy on November 20.

Facebook said it had “found no evidence of abuse” of the vulnerability in the wild.

In its response to Darabi, the platform indicated that the bug bounty payout would have been higher still had the bug allowed attackers to create visible posts.


RELATED Oculus, Facebook account takeovers net security researcher $30,000 bug bounty