Facebook page administrator names were exposed to the general public after a fault struck the social media platform this week.
Egyptian security researcher Mohamed Baset, founder of cybersecurity firm Seekurity, won $2,500 from Facebook’s bug bounty program after finding a flaw in an invitation to like a Facebook page.
Baset described the bug as a “logical error” in an auto-generated email sent on behalf of a Facebook page.
Researchers who point out flaws in company architectures – commonly known as “white-hat” hackers – have been handed more than $5 million by Facebook since 2011.
For business or community pages, which might have a number of co-administrators, you wouldn’t expect Facebook to reveal anything more than the name of the page itself, at least not without asking.
If nothing else, this protects individual employees from getting bombarded with comments and questions, whether they’re praises or rants in place of the account itself.- Paul Ducklin: Product Manager, BTnet Direct Internet Access
In a statement Facebook admitted there was a problem but claimed the bug had been patched.
What you need to do now
- Facebook Page Admins: Nothing, the bug has been fixed and shouldn’t affect your invites or your security
- Facebook users: Make sure you have your privacy settings how you want them
- You can now choose whether your posts are made Public, which means they are searchable by anyone using Facebook, from journalists to employers to the government, or to share with Friends only
- Bug hunters: Start looking today. Facebook has already paid out more than $800,000 in rewards in the past 12 months to security researchers testing their systems
We were able to verify that under some circumstances page invitations sent to non-friends would inadvertently reveal the name of the page admin which sent them.
We've addressed the root cause here, and future emails will not contain that information.- Facebook press statement
How was the flaw exposed?
The email invited Baset to like a Facebook page on which he’d liked an individual post.Page administrators can click a button that generates these emails automatically.
Their aim is to convert readers into followers.
It’s basically the same as when an occasional reader of a blog is asked to subscribe to a newsletter or an occasional listener to a podcast being asked to join-up to the podcast service.
As the email was unusual Mohamed Baset decided to look at the email in more detail.
He simply opened the ‘show original’ drop down menu option in the email and found that in its non-HTML form the email contained the name of the page administrator and the admin ID who had sent the message.
Because it is such a treasure trove of personal data, including photographs, home and work addresses, and easily-searchable family relationships, Facebook is a goldmine for anyone seeking to do you harm by exposing, stealing or leaking your information.