A new facebook vulnerability discovered by the Security researcher that allows revealing the Facebook page admin identity in plain text.
Facebook introduced new future for Page Admins that allows to getting page followers by targeting the specific audience who is liked the page post but not the page.
So if you liked the specific post from any page that you’re actually not following, page notifying you via mail that let you recommend to like the concern page.
Security Researchers Mohamed, who received the same notification to his inbox and he made an investigation in this regards and find this Vulnerability.
“He said, One day I liked one of the posts of a specific page but i didn’t liked or followed the page itself after a few days I got an email notification from Facebook regarding an invitation to like the page that i did already liked one of its posts, I was amazed by the feature but i realized that this is a feature to target non-fans and i was wondering what could go wrong since this is a new feature ?”
Since there is no possibility to initiate any attacks, he investigates the Email Notification and he analysis the Mail header by clicking showing the “Original” of the message (that can be achieved by clicking on the little drop-down menu arrow beside the message reply button)
Finally, he finds the information about the page and the admin of the page and other related information.
Later he reported this bug to the Facebook security team and Facebook awarded a bug bounty of $2500.
Source : GBHackers