Showing posts from December, 2018

Facebook BugBounty  - Disclosing page members

Because of some privacy reasons, identity of page members (admins/mods/analysts) is kept secret by facebook and normal page visitors cannot find the details about these members. But back in July 2018, when I was hunting for bugs in Facebook, I found multiple ways to disclose members of a facebook page. Disclosing post creators with 'Get Messages' feature This feature named “Get Messages” is available on Facebook pages when uploading posts and stuff. Get Messages feature Mainly e-commerce and online shopping websites use this feature with one of their product so whenever a visitor wants to know more about that particular product, they can simply click on the “Send message” button. A post with this feature enabled looks something like the below screenshot. A post with “Get messages” feature enabled The bug here is, if we click on this “Send message button”, profile ID of the creator is leaked in one of the responses coming from host which is not