Categories: Hacking

Discovered 2 new Facebook vulnerabilities

The Security researcher Dan Melamed has found two new Facebook vulnerabilities related to the Fanpage Invite of the popular social network.

Security researcher Dan Melamed has found 2 new Facebook vulnerabilities that has been recently patched and that I decided to shows you to understand the infinite possibilities an attacker have to hit also a robust platform like FB.

The Facebook vulnerabilities are considerable a medium-severity bug and allow an attacker to invite any user to like a Facebook Fanpage. Dan Melamed has found 2 Facebook vulnerabilities within the Facebook Fan Page:

  1. A Facebook Fanpage Invite Exploit to invite any Facebook user to like a Fanpage even if they are not my friend
  2. A Cross Site Request Forgery (CSRF) flaw
As explained by Dan a spammer could design a bot to collect a multitude of Facebook ID and spam them with invites to like his fanpage, but what is very interesting is that due the CSRF the invites to be sent on behalf of another user who simply visits a malicious website. Following the Facebook flaw described by the researcher.

“To reproduce this flaw, you first visit a link with the ID of the page you want to invite friends to: https://x.facebook.com/send_page_invite/?pageid=583584051694359You will see a list of your friends to invite. When clicking to invite someone, you change the invitee_id parameter in the HTTP request to another Facebook user id that belongs to someone who is not in your friends list.”The CSRF flaw was that the request was using the GET method without any anti-csrf tokens:http://x.facebook.com/a/send_page_invite/?invitee_id=4&page_id=583584051694359Visiting the link above would invite Mark Zuckerberg (profile id: 4) to like your fanpage.”

Following the video of the Poc:
Excellent the reply of the Facebook security team that fixed the Facebook vulnerabilities, after the fix was applied the link requires a POST method which includes the fb_dtsg token preventing to send invites to people who are not on attacker friends list.
“Depending on the target user’s notification settings, the invite would either appear in their notifications or under the “Like Pages” tab and it usually sends out an email informing the user that they were invited to like the fanpage.”
The rapid diffusion of social networks and the impressive amount of information they manage makes these platforms privileged targets of hackers and cybercriminals, every single feature could be exploited so it’s crucial a rapid incident response of internal security.
Pierluigi Paganini
(Security Affairs – Social network , Facebook Vulnerabilities)
Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials

FBI warns ex-officials are targeted with deepfake texts and AI voice messages impersonating senior U.S.…

10 hours ago

Shields up US retailers. Scattered Spider threat actors can target them

Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting…

13 hours ago

U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog<gwmw style="display:none;"></gwmw>

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver…

19 hours ago

Pwn2Own Berlin 2025 Day Two: researcher earned 150K hacking VMware ESXi

On day two of Pwn2Own Berlin 2025, participants earned $435,000 for demonstrating zero-day in SharePoint,…

1 day ago

New botnet HTTPBot targets gaming and tech industries with surgical attacks

New botnet HTTPBot is targeting China's gaming, tech, and education sectors, cybersecurity researchers warn. NSFOCUS …

1 day ago

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

2 days ago