Hello everyone , this post is about page admin discloser via watch party . So, what is watch party ?
Facebook Watch Party is a new feature for groups that allows users/pages/groups to hold a live screening of pre-recorded videos that are publicly available on Facebook.
In this case vulnerable app is Facebook Page ios/android app . When you start a watch party and someone join it then you can see joined members in bottom bar .
Now I sent a watch party invitation link to a page via message and after page joined it ,I can see page’s profile not page’s admin profile . As you know watch party shows current user profile means if you join watch party as User ,it shows user profile and if you join as page it shows page’s profile .
From Facebook web version, there have no possibility to get the page’s admin profile because when you join watch party it shows Page profile. So , I move to “Facebook Page” app . In this app you can read page inbox messages and do posts and update pages etc. Now when open that invited watch party link via “Facebook Page” app it redirect to the “Facebook” app where you currently logged in and automatically join to the watch party . That means your profile shows at watch party viewers list instead of showing your Page’s profile .
Attack scenario :
- User/Page A make a watch party and hide from timeline and sends watch party link to Page B via message .
- Page B open that watch party link via “Facebook Page” and redirect to Page B’s Facebook main app where User B(Page B admin) logged in and automatically join the watch party .
- User/Page A get User B profile at bottom of the watch party as Viewer instead of showing Page B profile . Which disclose Page B admin .
This is how I made it to get Page’s admin profile and got rewarded by Facebook .
May 19, 2019 – Report sent
May 23, 2019 – Confirmation of submission by Facebook
May 24, 2019 – Further investigation by Facebook
June 20, 2019 – Fixed by Facebook
June 21, 2019 – 4 digit Bounty Awarded