The bug was reported to Facebook under its bug bounty program after which the researcher was awarded $5,000.
Sometimes the greatest of threats lie in the simplest of vulnerabilities. Such is the case of a research report by researcher Shubham Bhamare which talks about a bug the author discovered on Facebook that allowed the identity of page admins to be exposed without their permission.
Delving into the details, how the flaw works is that suppose someone runs a group associated with a Facebook page. In order to hide their identity, the person may make the page itself as the admin of the group and so all admin activity on it would show up on behalf of the page.
This allows people to hide their real identities, something crucial for pages & groups that share sensitive content in countries with authoritarian legislation and extremist communities.
However, if the admin created a document in the group using the page’s name as shown above, even then, the other admins of the group could see the real admin’s name through the “Edit History” option overriding any privacy restrictions.
The only caveat is that an option that allows other groups members to edit the document needs to be unchecked as shown below:
When reported to Facebook, this thankfully was patched but subsequently, another similar bug was found. According to the researcher’s blog post, this time it was in the “files” feature present in groups. This too along with another 3rd patch was eventually fixed by Feb 9, 2019.
Finally, the researcher was awarded $5000 from Facebook, a handsome sum nonetheless.
To conclude, such a vulnerability could have lead to adverse consequences due to the sensitive nature of many groups. Therefore, it is very important that users lookout for any other hidden bugs that could expose their sensitive information online and report it to the relevant authorities.