Skip to main content

Facebook vulnerability allows an attacker to prevent any user from blocking them

Vulnerability Report - Facebook Events / Block Bypass

Hello,

Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows an attacker to prevent any Facebook user from blocking them.

Description of Vulnerability:

1. On Facebook Events you can go to: https://www.facebook.com/events/create/ and create a recurring event — which is simply a single event that repeats at different time intervals.

2. If you create a recurring event and then delete that recurring event, any Facebook user who tries to block you on Facebook will encounter an error message that prevents them from doing so.

Exploitation Scenario:

1. The attacker wants to prevent any Facebook user from blocking them permanently.

2. The attacker goes to: https://www.facebook.com/events/create/, clicks “Repeat event”, sets it to repeat twice, then clicks “Create event”.

3. The attacker deletes this recurring event.

4. The attacker posts abusive comments to any Facebook user or interacts with them inappropriately.

5. The victims try to block the attacker but fail, and they see this error message: "Error performing query."

Impact of the Vulnerability

  • The victim is completely unable to block or restrict the attacker’s Facebook account.
  • Offensive comments remain visible to the victim and to all other users, which allows continuous harassment.
  • The victim is forced to only delete offensive comments, but the attacker can immediately post new ones without limitation.
  • The victim has no clear indication or explanation as to why blocking is not possible, creating confusion and leaving them exposed to ongoing abuse.
  • This vulnerability enables attackers to bypass Facebook’s fundamental safety control (blocking), directly undermining user protection and safety.

Steps to Reproduce:

From Attacker’s Side:

  1. I want to permanently prevent the victim from blocking me on Facebook and Messenger.
  2. Go to: https://www.facebook.com/events/create/
  3. Click “Repeat event”, set it to repeat twice, then click “Create event”.
  4. Delete this recurring event.
  5. Post offensive comments on the victim’s post.

From Victim’s Side:

  1. Open my post and try to block the attacker’s account to prevent them from posting offensive comments on my posts.
  2. As shown, it says: "Error performing query."

Proof of Concept Video

For a detailed demonstration, refer to the PoC video below:

Timeline

  • October 6, 2025: Reported
  • October 7, 2025: Triaged
  • October 8, 2025: Fixed
  • November 3, 2025: Bounty awarded

Follow Me:

Comments

Post a Comment

Popular posts from this blog

Facebook Anonymous Post Owner Disclosure

Vulnerability Report - Meta Bug Bounty Program Hello, Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows an attacker to disclose the author of anonymous posts or comments in Facebook Groups. Description of Vulnerability: In Facebook groups, you can write an anonymous post or comment, and therefore no one should know your identity except the group admins. If you make an anonymous post or comment, and then someone blocks you and writes a comment on your post or comment, and you reply to them anonymously, their mention in your reply will appear as plain text instead of the normal blue clickable link. Exploitation Scenario: The victim publishes an anonymous post or comment inside a Facebook group. The attacker suspects that a specific group member is the owner of this anonymous post or comment. The attacker blocks the suspected member and then writes a comment on...
Post a Comment
Read more

Critical Privilege Escalation Vulnerability in Teleport ($21,000)

Teleport | Report #2281075 | HackerOne Link to YouTube Video 259 #2281075 Copy report id Copy report id access list owner can escalate his role to the highest roles Add Hacker summary Timeline · export moaz219 submitted a report to Teleport . December 11, 2023, 6:28pm UTC Menu Menu Summary: Go to [your-domain.teleport.sh/web/accesslists]. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role. Add a user as the Access List Owner. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating their own account's role. This is a prohibited procedure, as stated here , that Owners are not able to control what roles and traits are granted by the Access List. Steps To Reproduce: From Organization Owner Account: Go to [your-domain.teleport.sh/web/accesslists]. Create a new access list. Add a user as List Owner. Add a role to "R...
Post a Comment
Read more