Security News > 2021 > January > Facebook Awards Big Bounties for Invisible Post and Account Takeover Vulnerabilities
One researcher said he earned $30,000 from Facebook for finding a vulnerability that could have been exploited to create invisible posts on any page.
Bug bounty hunter Pouya Darabi discovered in November that an attacker could have created invisible posts on any Facebook page, including verified pages, without having any permissions on the targeted page.
Creative Hub enables users to collaborate on ad mockups and the ads can be previewed by creating an invisible post on the selected page.
Darabi discovered that changing the page id parameter in a request sent when creating such an invisible post leads to the post being created on the Facebook page associated with the specified page id.
When an invisible post is created to preview an ad, Facebook checks if the user has the permissions needed to post on the targeted page.
Darabi told SecurityWeek that an attacker could have easily shared the invisible post on Facebook groups, profiles and pages.