arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Potentially Identify Facebook Page Admin
4 min read

Potentially Identify Facebook Page Admin

Potentially Identify Facebook Page Admin

On Facebook, as page admins, you can link or unlink your page to or from a group.

Last February 5, 2021, I discovered that it is possible to identify the admin of a Facebook page because of a post created when a Facebook user created a group before linking it to a page.

Let's use this Facebook page below as an example:

DU30
DU30. 42,049 likes · 335,726 talking about this. Gaming Video Creator
Facebook

This page named DU30 has 42,000+ likes and more than 300,000 followers. It is being used as a source of news updates about the President of the Philippines, Rodrigo Duterte.

Checking the Groups tab in the page, I discovered that the page has a linked group.

The linked group was created on June 30, 2020 and is currently visible to anyone.

The linked group has 44,000+ members with 2 admins, DU30 (page) and Manuella (user).

With the information we have gathered right now, we can't say that Manuella is the admin of DU30 (Facebook page). So, we need to find the first post in the group to identify who created the group before it was linked into the page.

Why do we need find the person who created the group?

According to Facebook, "Only Page admins can link or unlink their Page to or from a group".

How do I link one or more Facebook Pages to a group? | Facebook Help Center
>Learn how to link multiple Facebook Pages to a group.
Facebook Help Center

To find the unremovable automatic post from Facebook when someone created a group, you just need to keep on scrolling down the page until it stops scrolling then you will get something like this:

With that information, we can potentially conclude that Manuella Araujo is an admin of DU30 Facebook Page.

So... who is Manuella Araujo?

I don't know (lol). I think the account was hacked or a dummy and is now being used for other purposes.

Facebook decided to close my report regarding to this issue as Informative. Read their explanation below.

Whilst the product team might have added a notice to the UI which points out this edge-case (i.e. where you are the only admin), what you are describing does not appear to constitute a valid admin disclosure but rather intentional product behaviour.

If the admin tries to associate their page with a group in which they are the only admin, the expectation is that this action should be observable by others.

Note: I reported it as "Identify Facebook Page Admin" not as "page admin disclosure".

Timeline:

  • February 5, 2021 at 8:07 PM - Responsible Disclosure to Facebook Security Team
  • February 5, 2021 at 8:07 PM - Auto-response from Facebook
  • February 6, 2021 at 9:32 AM - First response from Facebook Security Team stating that "You could always guess but it doesn't 100% prove this user is any role on the linked page".
  • February 6, 2021 at 9:41 AM - I added additional information and explained how can I use this to identify the page admin.
  • February 9, 2021 at 7:42 AM - Facebook Security Team replied, "Sure you can infer but its not 100%. A user could have been made an admin linked the page and left the group. While we appreciate you sending this in it's not 100% fool proof".
  • February 9, 2021 at 7:48 AM - I replied some information to support my report.
  • February 11, 2021 at 7:27 AM: Last response from Facebook Security Team and they closed the report as Informative.
  • February 11, 2021 at 8:58 AM: Disclosure Request
  • February 12, 2021 at 8:36 AM: "The option to disclose is always up to the researcher."

Credits to TheHackerNews for the image banner.

Popular tags

Privilege Escalation OSCP-Like Machines Linux HackTheBox Bug Bounty