The 2.5mins or 2.5k$ hawk-eye bug – A Facebook Pages Admins Disclosure Vulnerability!

Hi Guys, How are you doing? Well i’ll consider and hope the answer is “Fine”… Today i will show you a bug i found in Facebook without even using any kind of testing tools BUT those kind of bugs requires what’s more than tools, it requires a hawk-eye, A platform-aware bug hunter mentality, a poet and an awesome morning cup of coffee, So don’t expect to gain technical skills from this blog post, only some pro tips and hunting mentality experience!

This is merely the second time i’m sending a report to Facebook Security Team without writing a piece of code!

The Feature:
Facebook introduced a great feature for page admins to target the audience who liked specific post of their page but not the page itself to like the page, This can be accessed by showing who interacted with a specific post then in the lightbox of the interactions you will find a little button captioned “Invite” to invite the interacted users only if they are not liking the page itself, the message they will receive will look like this one:


The Story:
One day i liked one of the posts of a specific page but i didn’t liked or followed the page itself after a few days i got an email notification from facebook regarding an invitation to like the page that i did already liked one of its posts, I was amazed by the feature but i realized that this is a feature to target non-fans and i was wondering what could go wrong since this is a new feature ?

The hawk-eye powered hunting mentality:
What came to my mind at that time hmmm there is nothing to attack here but we have a piece of evidence “the email notification”, why not investigating it? Well, we have an email message, what to do?

From the investigations that i’m doing sometimes in the office of the fraud and phishing emails i’m always and blindly showing the “Original” of the message (that can be achieved by clicking on the little drop-down menu arrow beside the message reply button)

So i did that, then guess what?


Bug Timeline:
09:15 AM: Came to the office
09:30 AM: Took my Mac off, got the cup of coffee and started working by checking morning messages, emails, facebook notifications, etc…
09:35 AM: Got a new email notification from Facebook titled “You have an invitation from {FACEBOOK_PAGE_NAME}”
09:36 AM: Opened the email
09:37 AM: Navigated to “Show Original” to check the detailed information of the email.
09:37:18 AM: Found the facebook admin id in the “email original headers
09:38 AM: Report sent to Facebook Security Team





Pro Tip#1: Always check the “Original Headers” and “Details” of every email message if no important information found at least you will feel satisfied.

Pro Tip#2: I disclosed this bug but its effect can be found retroactively, Check your email inbox for “You have an invitation from” search string and follow the reproduction steps you will find the admin name 😛

Pro Tip#3: If you want to smash the Facebook Whitehat List, Study Facebook first, Now you know why i’m spending hours on facebook, so literally i’m working on Facebook unlike the bad guys who are only chatting.

Pro Tip#4: Attack the logic of anything that acting logically because 1. It’s not and 2. It’s written by a human (who has his own problems too).


Till the next one, Peace!


A minute if you please!

Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!


(Visited 4,609 times, 15 visits today)