arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Download a copy of any Facebook Page
3 min read

Download a copy of any Facebook Page

Download a copy of any Facebook Page

Here's the full story of how I discovered a Facebook bug worth $8,000 USD by discovering three (3) different vulnerabilities in a Facebook Page.


Matt Navarra, TheNextWeb's social media director, posted a tweet last January 5, 2016 about a Facebook feature called the "Download Page"

After discovering the new feature, I immediately look for a flaw and quickly found three (3) vulnerabilities:

  1. Unauthorized Access in General Settings - By default, the Admin can only access this.
  2. Vertical Privilege Escalation in Download Page feature
  3. Insecure Direct Object Reference in Download Page feature


I conducted some research about Facebook Pages and found this page: (2016)

With that, I already knew that there's a security issue because as an Editor of a Facebook page I was able to access the General Settings.

I continued conducting some research and found this another page: (2016)

The "Download Page" feature is accessibly to Facebook Page Admin only. If you're not an admin, you are not allowed to download a copy of the page.


Privilege Escalation

Initially, I created two (2) different accounts and one (1) facebook page.

  • Account A: Admin
  • Account B: Editor

Using the Admin-role account, I downloaded a copy of the Facebook page and captured its request using Burpsuite tool.

The POST requests are like this:

<form action=”/dyp/dispatch/?page_id=12345" method=”post”>
<input type=”hidden” name=”fb_dtsg” value=”AQG21wqhJ0g4" automcomplete=”off”>
<button value=”1" type=”submit”>
Get Started
<form rel=”async” action=”/dyp/download/?page_id=12345" method=”post”>
<input type=”hidden” name=”fb_dtsg” value=”AQHnr-Cvy88k” automcomplete=”off”>
<button value=”1" type=”submit”>
Download Page

With that kind of request, I immediately think of other possible scenarios like "What if I can also download a copy of other Facebook pages?"

But before that, I continued exploiting the Privilege Escalation. So I sent the POST requests to Repeater Tab of Burp and changed the sessions from Admin account's session to Editor account's session.

Sent the requests back to Facebook and it worked! I was able to download the copy of the Facebook page without having an admin role.

Insecure Direct Object Reference

Going back to other scenario, I used the same POST request and just changed the value of page_id parameter from 12345 to other Page ID of other Facebook pages.

Then I sent the requests back to Facebook and it worked!


How did Facebook Security Team fixed these vulnerabilities?

  1. If you’re an Editor of a Facebook Page, you are no longer access the General Settings anymore and you will be redirected to About Section of the Facebook Page.
  2. They temporarily took down the new feature to fix the issues internally.


Date and Time Activity
Jan 6, 2016 1:44 AM Report submitted to Facebook
Jan 7, 2016 2:16 AM Angelo of FB Security Team responded that they will investigate the issue.
Jan 9, 2016 3:44 AM Jimio of FB Security Team responded that they patched the issue.
Jan 9, 2016 3:50 AM I responded that the issue is no longer working on my end.
Jan 9, 2016 7:43 AM Facebook rewarded me $8,000 USD Bug Bounty.