Introduction
A Facebook event is a feature that allows Facebook users or page operators to create a calendar-based invitation to an event. A Facebook event can be sent to a select group of people and will include information about the event, the time and date of the event and even images related to the event.
A Facebook event provides a simple, hands-off way for Facebook users to send invitations to their friends. Because of the interactive nature of Facebook, a Facebook event can also help create commenting and buzz about a particular event.
The finding
This bug was found when I unexpectedly received a notification for a deleted event in a closed group from which I had previously left. The issue stemmed from a misconfiguration in Facebook Events, enabling blocked users and those who had left the group to still receive notifications from deleted events, even after the event owner had removed them. This discovery was made without any intentional testing, underscoring the inadvertent exposure of sensitive information to users who should no longer have access.
Reproduction Steps
Step 1 – Victim Account Perspective:
- Navigate to your group and create an event.
Step 2 – Victim Account Perspective:
- Go to the group members and block the attacker account.
Step 3 – Victim Account Perspective:
- Access the created event.
- Edit the name of the group or any details.
- Save the changes.
- Delete the event.
Step 4 – Attacker Account Perspective:
- Ensure the attacker account is blocked or has been removed from the group, preventing access to any group content, including event information.
- Despite being blocked or removed, receive a notification for the deleted event, containing the last update of the event name.
Timeline
Sarmad | 28 Aug 2018
- Initial Report
Meta Bug Bounty | 31 Aug 2018
- Report Triaged
Meta Bug Bounty | 19 Dec 2018
- Bounty Awarded
Meta Bug Bounty | 31 Jan 2019
- Bug Fixed
Sarmad | 31 Jan 2019
- Fix Confirmed