Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info

Facebook addressed last week a security flaw that exposed page admin accounts, the bug was exploited against several high-profile pages.

Last week Facebook has addressed a security issue that exposed page admin accounts, the bug was exploited in attacks in the wild against several high-profile pages.

The page admin accounts are anonymous unless the Page owner opts to make the admins public, but a bug allowed anyone to reveal the accounts running a Page.

“The accounts behind those pages are anonymous unless a Page owner opts to make the admins public. You can’t see, for example, the names of the people who post to Facebook on WIRED’s behalf. But a bug that was live from Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one.” reads a post published by Wired.

The “View edit history” in Facebook allows Page admins to view any activity related to pages, including the name of users that made changes to a post. The bug allowed miscreants to reveal the account of the individual who made the changes, including page admins, with serious privacy implications.

Wired confirmed that on message boards like 4chan, people started posting screenshots that doxed the accounts behind prominent pages. The exploitation of the bug was simple, by opening a target page and checking the edit history of a post, it was possible to view the account or accounts that made edits to each post.

Facebook quickly addressed the issue after it was alerted by a security researcher.

“We quickly fixed an issue where someone could see who edited or published a post on behalf of a Page when looking at its edit history,” Facebook said in a statement. “We are grateful to the security researcher who alerted us to this issue.”

The list of the pages targeted by hackers included the ones belonging to President Donald Trump, the street artist Banksy, Russian president Vladimir Putin, former US secretary of state Hillary Clinton, Canadian prime minister Justin Trudeau, the hacking collective Anonymous, climate activist Greta Thunberg, and the rapper Snoop Dogg, among others.

In February 2018, the security researcher Mohamed Baset discovered a similar vulnerability on Facebook.

Baset explained that the flaw was a “logical error” that he discovered after receiving an invitation to like a Facebook page on which he had liked a post. The researchers analyzed the source code of the email sent by the social network and discovered it included the name of the administrator of the page and other info.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Facebook, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.