Determine Facebook Page Admin through Facebook Like

Program: Facebook
Vulnerability Type: Identification / Deanonymization
Product Area: Pages

This issue was reported during the BountyCon 2019 in Singapore.

Description

On Facebook, any user can invite someone to like a Facebook page. However, it can be used to determine if the inviter is part of a Facebook page or not.

This issue is somehow similar to Philippe's report about Determine members in a closed Facebook group.

Proof of Concept

If the invitation is from someone who is part of the Facebook page, the invitation message should be as follows:

I used the invitation panel on the side bar of Facebook Page.

If the invitation is from someone who is NOT part of the Facebook Page, the invitation message should be as follows:

I used the "Community" panel to invite someone to like a Facebook Page.

Impact

It was possible to infer the identity of a page admin due to invitation message.

Timeline

March 24, 2019 - Report Submitted
March 30, 2019 - Further investigation by Facebook
March 31, 2019  - Fixed by Facebook
March 31, 2019 - $1,000 bounty awarded by Facebook
March 31, 2019 - Additional $1,000 bounty awarded by Facebook as a special bonus for page admin de-anonymization
March 31, 2019 - Additional $1,000 bounty awarded by Facebook as the bonus for best written report of BountyCon 2019