Spread Fake News on Facebook due to Design Issue (Next Level Content Injection)

Details

One of the common ways to trick users into spreading fake news is by showing them a content or something that looks credible and comes from a legitimate source.

On this writeup, I will demonstrate and discuss the design issue on Facebook that allows me to inject a content or post from fake Facebook page to legit Facebook page.

For proof of concept, I decided to look for a legitimate Facebook page without the Blue Verification badge. The Facebook page of the Bureau of Internal Revenue (BIR) Philippines has more than 270,000 likes and is currently active on Facebook which is a good page for this demonstration.

First, I created a new Facebook Page imitating the legitimate Facebook Page of BIR. However, during the process of creating the page, Facebook does not allow a page with an existing name to be created.

So I added another "s" at the end of the page name to fix the problem.

Then there is a Facebook feature that allows administrators to request a change in the name of the page.

Facebook acknowledged the request after a few seconds!

The next thing I did was to copy and paste some important data from BIR's legit FB page to the fake FB page.

Making a fake Facebook post is the next step.

Now that we have a fake Facebook post, the next step is to use the link below to inject this fake post into the BIR's Facebook Page.

https://www.facebook.com/permalink.php?story_fbid={FB_POST_ID}&id={FB_PAGE_ID}

The Post ID of the fake Facebook Post is 114727080435383 while the Page ID of BIR's legit FB Page is 313721258793029.

The final Link for sharing is:

https://www.facebook.com/permalink.php?story_fbid=114727080435383&id=313721258793029

Watch the final result here:

Impact

This could spread fake news by sharing the exact link/URL and could potentially trick people into clicking on something malicious because they assume the fake post comes from the legitimate FB page that they liked/followed.

Facebook Response

(I know that this kind of issue might be considered/seen as part of social engineering because the whole process is just impersonating a page to deceive users, but I still reported it to try if it will be considered by the Facebook Security Team.)

Here is the response from Spencer of Facebook Security Team:

Essentially what you are reporting here is impersonating by means of social engineering, which isn't in scope for our whitehat program.

We provide companies with controls to prove they're the authentic owner of a Facebook page and we provide our users with controls to report anything that is against our policies, which this certainly is.

As such we're closing out this report  (as Informative) and look forward to working with you in the future.

Recommendations to Facebook Page Owners

To prevent this kind of concern in the future, it is recommended to verify your Facebook Page to get the Blue verification badge.

P.S. After making the proof of concept, I have already removed the Facebook Page and the Facebook Post.

Update: Facebook decided to reopen the issue and award me with a bug bounty.