Facebook has announced the fix of a vulnerability that would have allowed threat actors to post to any page without admin control: “An attacker could share a post in any group, profile, or page as if it were an original post,” the security report says.
The flaw was reported to the company through its vulnerability rewards program. The investigator responsible received a payment of $30,000 USD for the finding and proper presentation of the report.
The researcher mentions that the flaw was so severe that it was even possible to make malicious posts on pages verified by the social network: “Users trust that these are secure platforms, which increases the risks of the attack,” the researcher adds.
The researcher received a payment for each of the two exploits he submitted, both affecting Facebook Creative Hub. Marketing employees can simulate ads in Creative Hub and create posts that are in practice invisible to Facebook users, allowing you to preview and share this kind of content with your colleagues, all before posting the actual advertisement.
The flaw allowed you to create an invisible post and then intercept the Facebook request to create a post and change the page_id to the page on which the attacker wanted to post: “After clicking <<Share>>, the Creative Hub API responds with a new URL to share the post; the URL is presented in a similar way https://www.facebook.com/ads/previewer/__PREVIEW_KEY__”.
The point is that permission verification is not applied before generating a post, so the attack allows you to create this new post on any page with a page_id page. All it takes is to find the post_id on any ad preview endpoint.
After analyzing the report, Facebook corrected the vulnerability in late November 2020. The social media giant mentions that no evidence of exploitation was found in real-world scenarios.