Friday, January 8, 2021

Create post on any Facebook page

  1 comment
12:17 PM


Create an invisible post on any Facebook page

page vulnerability

You may know that you can create many types of posts on your Facebook feed. one of them is called "invisible" (unlisted) which unlike other types cannot be seen on your feed, but like others, it has a link and id.

These types of posts are not shown on the feed timeline but are accessible via a direct link. the main impact of these types of posts is that the page admins cannot view or delete them since they don't have any links.
An attacker can use the post sharing feature to send it to others.

Share Feature

At Creative Hub we can create ads and use collaboration to complete them. Facebook creates an invisible post on the selected page for previewing them to the users.
I intercepted the request and change the "page_id" to the victim's "page_id" and it saves without any error or issue.
Permission Error Creative Hub

Permission Error Creative Hub

The permission here has been checked before generating the preview so you should definitely have the advertiser role. (above image)

Also, the Share Feature (image below) has been added to Facebook's Creative Hub recently, therefore, I started digging deeper into it again.
After clicking on the share button the API will answer with a new shareable URL like this:

Creative Hub

The gotcha is that the permission-check is missing before generating a preview post on the share page.
Changing page_id before saving the mockup in Graphql request and then getting back the sharable link for it, gives us the ability to create a post on any page. All we need to do is to find the post_id that exists on any ad preview endpoints.
Finally, we created an invisible post on the victim page without their knowledge!


Facebook fixed this vulnerability after I reported it but still, I was able to bypass the fix by using another approach.
// This request will create a post page plus sending a notification to the mobile device'/ads/previewer/notify_mobile/__PREVIEW_KEY__',{}) 
The "send to mobile" feature creates a preview again without checking permission.

Bypass POC:

Creative Hub

November 6, 2020 – Report Sent
November 6, 2020 Triaged
November 11, 2020 Fixed
November 12, 2020 – Bypass Sent
November 12, 2020 – Triaged
November 20, 2020 Fixed
December 16, 2020 $30,000 Bounty awarded

Read More

Thursday, June 4, 2020

Another image removal vulnerability on Facebook

10:13 AM

Delete any Image on Facebook using Series Feature

delete vulnerability

I noticed the Series Feature was added to Facebook Creator Studio therefor I start digging on it.


A request containing image ids will be sent, by inserting images in the "Poster Art" or "Cover Image" sections after creating a series

Modifying that request with another image-id will create a series containing that image. Finally, deleting the series also makes the victim's image (which is the series property) to be deleted too.


Kudos to the Facebook security team for resolving this vulnerability instantly.

2 May 2020, 09:10 – Report Sent
2 May 2020, 10:39 – Triaged
2 May 2020, 22:46 - Fixed
2 Jun 2020,  $10,000 Bounty awarded

Read More

Monday, December 9, 2019

Media deletion CSRF vulnerability on Instagram

  No comments
10:27 PM

Media deletion CSRF vulnerability on Instagram

I noticed a copyright section has been added to instagram. whenever a user violated another person copyright, a notification will be shown to delete or request an appeal for the media.

After uploading a video containing a music I faced with copyright
It was interesting to me, so I started digging into it.

It was possible to delete media by a GET request

Vulnerable Endpoint:{MEDIA_ID}/copyright/dismiss_am/

The MEDIA_ID is a {story_id or post_id} that will be deleted

Opening the malicious link within the both Instagram app or web cause media deletion in the victim's account.

Android POC: Remove story CSRF in android

Web POC: Remove post CSRF in web

User could be tricked into deleting content they had posted on Instagram.

January 29, 2019 – Report Sent
January 29, 2019 – Triaged
January 30, 2019 - Permanent fix
February 14, 2019   $3,000 Bounty awarded

Read More

Saturday, November 25, 2017

Image removal vulnerability in Facebook polling feature

2:12 PM

Delete any
Image on Facebook

When I was checking out facebook's new features, I noticed that polling feature were added to the posts so I start working on it.


Whenever a user tries to create a poll, a request containing gif URL or image id will be sent,
poll_question_data[options][][associated_image_id] contains the uploaded image id.

When this field value changes to any other images ID, that image will be shown in poll.
After sending request with another user image ID, a poll containing that image would be created.
Our uploaded image has been replaced by victim's image

At the end when we try to delete the poll, victim's image would be deleted with it by facebook as a poll property.


I appreciate Facebook security team for resolving this vulnerability quickly.

3 Nov 2017, 03:16 – Report Sent
3 Nov 2017, 15:25 – Triaged
3 Nov 2017, 16:46 - Temporary fix
5 Nov 2017, 15:03 - Permanent fix
8 Nov 2017   $10,000 Bounty awarded

Read More

Tuesday, May 17, 2016

How I bypassed Facebook CSRF once again!

9:52 AM

I found a vulnerability in Facebook that allowed me to create arbitrary form in Facebook that send a POST request with CSRF token to any Facebook endpoints or external hosts!

It was very similar to this bug which I found in 2015.

Read More

Thursday, April 9, 2015

How I bypassed Facebook CSRF Protection

2:35 AM

bypass facebook csrf 2015

I discovered a critical vulnerability in Facebook that allowed an attacker to bypasses Facebook CSRF protection!

more information about CSRF at owasp

Read More

Sunday, March 15, 2015

Bypass ad account roles vulnerability 2015

  1 comment
2:04 PM

facebook exploit 2015

I discovered a vulnerability in Facebook that allowed a normal user in ad account to get unauthorized admin access in that ad account

admins in ad account  can add any user to their ad account with these 3 type of  role :

  1. admin
  2. advertiser
  3. analyst
read more about these roles link

Read More