Categories: Hacking

Discovered 2 new Facebook vulnerabilities

The Security researcher Dan Melamed has found two new Facebook vulnerabilities related to the Fanpage Invite of the popular social network.

Security researcher Dan Melamed has found 2 new Facebook vulnerabilities that has been recently patched and that I decided to shows you to understand the infinite possibilities an attacker have to hit also a robust platform like FB.

The Facebook vulnerabilities are considerable a medium-severity bug and allow an attacker to invite any user to like a Facebook Fanpage. Dan Melamed has found 2 Facebook vulnerabilities within the Facebook Fan Page:

  1. A Facebook Fanpage Invite Exploit to invite any Facebook user to like a Fanpage even if they are not my friend
  2. A Cross Site Request Forgery (CSRF) flaw
As explained by Dan a spammer could design a bot to collect a multitude of Facebook ID and spam them with invites to like his fanpage, but what is very interesting is that due the CSRF the invites to be sent on behalf of another user who simply visits a malicious website. Following the Facebook flaw described by the researcher.

“To reproduce this flaw, you first visit a link with the ID of the page you want to invite friends to: https://x.facebook.com/send_page_invite/?pageid=583584051694359You will see a list of your friends to invite. When clicking to invite someone, you change the invitee_id parameter in the HTTP request to another Facebook user id that belongs to someone who is not in your friends list.”The CSRF flaw was that the request was using the GET method without any anti-csrf tokens:http://x.facebook.com/a/send_page_invite/?invitee_id=4&page_id=583584051694359Visiting the link above would invite Mark Zuckerberg (profile id: 4) to like your fanpage.”

Following the video of the Poc:
Excellent the reply of the Facebook security team that fixed the Facebook vulnerabilities, after the fix was applied the link requires a POST method which includes the fb_dtsg token preventing to send invites to people who are not on attacker friends list.
“Depending on the target user’s notification settings, the invite would either appear in their notifications or under the “Like Pages” tab and it usually sends out an email informing the user that they were invited to like the fanpage.”
The rapid diffusion of social networks and the impressive amount of information they manage makes these platforms privileged targets of hackers and cybercriminals, every single feature could be exploited so it’s crucial a rapid incident response of internal security.
Pierluigi Paganini
(Security Affairs – Social network , Facebook Vulnerabilities)
Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Published by
Pierluigi Paganini
Tags: CybercrimeexploitFacebookFacebook vulnerabilitiesHackingsocial networks
13 years ago

Recent Posts

CISA pushes Federal agencies to retire end-of-support edge devices

CISA ordered U.S. federal agencies to improve management of edge network devices and replace unsupported…

3 hours ago

Record-breaking 31.4 Tbps DDoS attack hits in November 2025, stopped by Cloudflare

AISURU/Kimwolf botnet hit a record 31.4 Tbps DDoS attack lasting 35 seconds in Nov 2025,…

23 hours ago

Nearly 5 Million Web Servers Found Exposing Git Metadata – Study Reveals Widespread Risk of Code and Credential Leaks

A study found nearly 5 million servers exposing Git metadata, with 250,000 leaking deployment credentials…

1 day ago

U.S. CISA adds SmarterTools SmarterMail and React Native Community CLI flaws to its Known Exploited Vulnerabilities catalog<gwmw style="display:none;"></gwmw>

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SmarterTools SmarterMail and React Native Community CLI…

1 day ago

Hacker claims theft of data from 700,000 Substack users; Company confirms breach

Substack confirmed a data breach after a hacker leaked data from nearly 700,000 users, including…

2 days ago

Pro-Russian group Noname057(16) launched DDoS attacks on Milano Cortina 2026 Winter Olympics

Italy stopped Russian-linked cyberattacks targeting Foreign Ministry offices and Winter Olympics websites and hotels, Foreign…

2 days ago

This website uses cookies.