/>
X
Innovation

Facebook patches admin information leak vulnerability

The severe vulnerability took only minutes to exploit.
Written by Charlie Osborne, Contributing Writer on
5a71e13260b2cc05760a325c-1280x7201jan312018201558poster.jpg

Facebook has patched a severe vulnerability which leaked the information of administrators.

This week, bug hunter Mohamed Baset disclosed the flaw, which was found without the need for any kind of testing or penetration tools.

In a blog post, Baset said the bug, a logic error problem, occurred when a user liked a specific post on a page.

Page admins could send Facebook invitations asking users if they wished to like a page after liking a post, and a few days later, these users may have received an email reminding them of the invitation.

Considering the email to be worthy of investigation, the researcher showed the "original" message -- possible through many email providers just by clicking a settings button -- and the result was the leak of the administrator's name and admin ID.

screen-shot-2018-02-28-at-11-45-13.jpg
Seekurity

The exploit only took a minute or two.

While the leak of some administrator details may not seem like such a big deal, information leaks are serious issues and can potentially be used in other attacks or vulnerability chains.

Baset immediately reported the problem to the Facebook Security Team, which responded.

"We were able to verify that under some circumstances page invitations sent to non-friends would inadvertently reveal the name of the page admin which sent them," Facebook said. "We've address[ed] the root cause here and future emails will not contain that information."

The researcher was awarded $2,500 through the Bugcrowd bug bounty program.

See also: Facebook is breaking law in how it collects your personal data, court rules

In related news, on Tuesday Facebook updated the Messenger chat feature with the aim of generating more business-related interest.

Messenger 2.3 will bring "deeper engagement between businesses and customers," according to the social networking giant, through improved customization features for customer service communication.

5 things you should know about VPNs

Previous and related coverage

Editorial standards

Related

Time to update: Google Chrome browser patches high-severity security flaw
a-woman-working-from-home-in-her-living-room

Time to update: Google Chrome browser patches high-severity security flaw

Cake's Kalk&: A utilitarian electric motorcycle that gets you to work and play
cakes-kalk

Cake's Kalk&: A utilitarian electric motorcycle that gets you to work and play

Corning's new Gorilla Glass can better survive concrete drops
A promotional image with a gorilla in a jungle for Corning Gorilla Glass Victus 2

Corning's new Gorilla Glass can better survive concrete drops