[Facebook] Bypass Admin Approval in Groups for Events

 

A hacker could have bypassed Admin's approval for posting an Event in a Group.

POC -

Create an Event in the target Group and copy the post link.

Delete it before Admin approval or denial.

Using the link, again visit the Event post and invite members.

This Event post would not appear on the timeline of the Group and no noty would be sent to the Admins.

Timeline -

Reported - Thursday, October 18, 2018

Marked Duplicate - Friday, October 19, 2018

It is now fixed.