[Facebook] Page Admin Disclosure via feedback endpoint


A hacker could see who created a post on a Facebook Page.
This would disclose the Admins and the Editors.

POC -

Go to the target Page post, click on give feedback option and select any feedback like "spam" or "violence".

While sending the feedback request by hitting "Send" button, Intercept with burp.

Copy the request prams "context" and use any URI decoder.
It will contain the Admin ID as Content Creator Admin ID.
For ex- "actor_id\":123,\"role\":1,\

Timeline -

Reported - Wednesday, February 14, 2018
Triaged - Friday, February 16, 2018
Fixed - Tuesday, February 20, 2018
Rewarded - Friday, February 23, 2018