Facebook recently patched an information disclosure vulnerability that was a new feature that it was testing which exposed page administrators, researcher Mohamed Baset reported this week.
Baset claimed he discovered the issue, which he described as a “logical error,” within a few minutes of receiving an invitation to like a Facebook page on which he had liked a post.
The Mexican security researcher recently wrote up a Facebook bug he claims he found in just 2 minutes 18 seconds.
After being notified through its bug bounty program, Facebook acknowledged the vulnerability and decided to award for his findings.
Facebook has paid the researcher $2,500 for reporting the bug that he discovered without any testing or proof of concept, or any other time-consuming processes.
The payout certainly brightened up Baset’s day more than his usual morning cup of coffee – the very cup he was drinking when the bug landed in his lap.
Baset spotted that autogenerated emails sent on behalf of a named Facebook page revealed more about the accounts behind the page than you’d expect.
While he hadn’t liked the page itself, through this feature Facebook was enabling page admins to target visitors who had interacted with any of their page content but hadn’t liked the page yet.
Looking at the email’s source code, the researcher noticed that it included the name of the page’s administrator and other details.
This wasn’t exactly a show-stopping bug, but it was enough of a data leakage flaw for Facebook to fix it promptly.
This latest Facebook bug report proves that hackers not only need technical skills but more often than not also need to have a hacking and hunting mentality that enables them to spot problems in the obvious but easy-to-miss places.
Facebook continues to attract much of the white hat hacking community; the social networking giant recently announced that it paid over $880,000 in bug bounties last year, bringing its total rewards to over $6,300,000.