Wednesday, April 21, 2021

Facebook Bug POC - Admin discloser by "Team members" feature

During content discovery, I was redirected to a page which pushed me to old Facebook UI.

The somewhat broken type of a page initially gave an error, but was showing "Team Member" window with Admin links(needed messenger authentication).


https://www.messenger.com/hackingmonks

As far as I knew, this feature was stopped. So there's no way to edit these settings. These Admin links were for current Admins who had added themselves to "Team Members" before the feature got stopped. If a particular Admin left/removed, links wouldn't be visible.

Timeline -

Reported    - Thursday, 4 February 2021 at 13:37
Triaged     - Friday, 19 February 2021 at 23:37
Fixed       - Thursday, 25 February 2021 at 17:08
Rewarded    - Tuesday, 9 March 2021 at 15:35