Facebook patches admin information leak vulnerability

The severe vulnerability took only minutes to exploit.
Written by Charlie Osborne, Contributing Writer

Facebook has patched a severe vulnerability which leaked the information of administrators.

This week, bug hunter Mohamed Baset disclosed the flaw, which was found without the need for any kind of testing or penetration tools.

In a blog post, Baset said the bug, a logic error problem, occurred when a user liked a specific post on a page.

Page admins could send Facebook invitations asking users if they wished to like a page after liking a post, and a few days later, these users may have received an email reminding them of the invitation.

Considering the email to be worthy of investigation, the researcher showed the "original" message -- possible through many email providers just by clicking a settings button -- and the result was the leak of the administrator's name and admin ID.


The exploit only took a minute or two.

While the leak of some administrator details may not seem like such a big deal, information leaks are serious issues and can potentially be used in other attacks or vulnerability chains.

Baset immediately reported the problem to the Facebook Security Team, which responded.

"We were able to verify that under some circumstances page invitations sent to non-friends would inadvertently reveal the name of the page admin which sent them," Facebook said. "We've address[ed] the root cause here and future emails will not contain that information."

The researcher was awarded $2,500 through the Bugcrowd bug bounty program.

See also: Facebook is breaking law in how it collects your personal data, court rules

In related news, on Tuesday Facebook updated the Messenger chat feature with the aim of generating more business-related interest.

Messenger 2.3 will bring "deeper engagement between businesses and customers," according to the social networking giant, through improved customization features for customer service communication.

5 things you should know about VPNs

Previous and related coverage

Editorial standards