Reveal the page admin that uploaded a video on the page in comment section

3 min readNov 2, 2020

Reveal the page admin that uploaded a video on the page in comment section

This post is about an bug that I found on Facebook which used to disclose the page role person’s User ID when posted a video on comment section of the page.

Recently I read a page admin disclosure writeup that was found by Kassem Bazzoun in https://bugreader.com/kbazzoun@221 .That bug Reveal the page admin that uploaded a video on the page feeds and After reading the Write Up then I decided to try if I can bypass the Fix with different scenarios.

The Question Raised in my mind that how Facebook server will validate the Video ID if it is in Different section in pages.

Example:

Video in Page Cover Pic
Video in Page Conversation
Video in Comment Section on page feeds

The 3rd example disclosed the page admins User ID in response. with same reproduction steps in Kassem Bazzoun Write Up .

Reproduction Steps:

Find if any video was uploaded in comments section of page post. that was uploaded as page.

2. Then the attacker need to get the Video ID of the video in comments by using Facebook Api.

Endpoint: https://graph.facebook.com/v5.0/PAGEID_POSTID?fields=comments{attachment}&access_token=XXXX

3. After getting the Video ID open the https://messenger.com and click any images that was send between the conversation and then click “Info” button. Before Clicking the info button make sure Burp Suite Intercept is on.