A Mexican security researcher recently wrote up a Facebook bug he claims he found in just 2’18”.
Mohamed Baset spotted that autogenerated emails sent on behalf of a named Facebook page revealed more about the accounts behind the page than you’d expect.
This wasn’t exactly a show-stopping bug, but it was enough of a data leakage flaw for Facebook to fix it promptly and pay him a bug bounty of $2500.
The payout certainly brightened up Baset’s day more than his usual morning cup of coffee – the very cup he was drinking when the bug landed in his lap.
Simply put, Baset received an email inviting him to like a Facebook page on which he’d recently liked an individual post.
Page administrators can click a button to generate these emails automatically, aiming to convert readers who have shown an interest in something on a page into followers of the entire page.
That’s a bit like persuading occasional readers of your blog to subscribe to your newsletter, or getting intermittent podcast listeners to tap into your regular podcast feed: a positive engagement with a positive outcome.
Given that he hadn’t seen an email of this sort before from Facebook, Baset figured he might as well see what the raw content of the message looked like – after all, you never know what interesting mysteries might show up in the unprocessed HTML in the email body.
Lo and behold…
…visible in the raw HTML, but not in the on-screen rendering of the email, was the name of the page administrator who clicked the button that sent the message in the first place.
For many individual Facebook pages, the administrator and the page will share an identity, so putting the admin’s name in the page’s email isn’t really giving away much.
But for business or community pages, which might have a number of co-administrators, you wouldn’t expect Facebook to reveal anything more than the name of the page itself, at least not without asking.
If nothing else, this protects individual employees from getting bombarded with comments and questions – whether they’re praises or rants – in place of the account itself.
What to do?
- If you’re a Facebook page admin: you don’t have to do anything. Facebook already fixed this bug on its side.
- If you’re a Facebook user: you don’t have to do anything. Facebook already fixed this bug on its side.
- If you’re a bug hunter: always check in the obvious places first. Every bug is invisible until someone bothers to look for it.
- If you’re a web programmer: for any web-based or email-based interaction, make a list of data you know should never be in your replies. When you’re testing, go out of your way to look for data that isn’t supposed to be there, so you find data leakage glitches before anyone else does.