Skip to main content

Facebook vulnerability allows an attacker to prevent any user from blocking them

Vulnerability Report - Facebook Events / Block Bypass

Hello,

Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows an attacker to prevent any Facebook user from blocking them.

Description of Vulnerability:

1. On Facebook Events you can go to: https://www.facebook.com/events/create/ and create a recurring event — which is simply a single event that repeats at different time intervals.

2. If you create a recurring event and then delete that recurring event, any Facebook user who tries to block you on Facebook will encounter an error message that prevents them from doing so.

Exploitation Scenario:

1. The attacker wants to prevent any Facebook user from blocking them permanently.

2. The attacker goes to: https://www.facebook.com/events/create/, clicks “Repeat event”, sets it to repeat twice, then clicks “Create event”.

3. The attacker deletes this recurring event.

4. The attacker posts abusive comments to any Facebook user or interacts with them inappropriately.

5. The victims try to block the attacker but fail, and they see this error message: "Error performing query."

Impact of the Vulnerability

  • The victim is completely unable to block or restrict the attacker’s Facebook account.
  • Offensive comments remain visible to the victim and to all other users, which allows continuous harassment.
  • The victim is forced to only delete offensive comments, but the attacker can immediately post new ones without limitation.
  • The victim has no clear indication or explanation as to why blocking is not possible, creating confusion and leaving them exposed to ongoing abuse.
  • This vulnerability enables attackers to bypass Facebook’s fundamental safety control (blocking), directly undermining user protection and safety.

Steps to Reproduce:

From Attacker’s Side:

  1. I want to permanently prevent the victim from blocking me on Facebook and Messenger.
  2. Go to: https://www.facebook.com/events/create/
  3. Click “Repeat event”, set it to repeat twice, then click “Create event”.
  4. Delete this recurring event.
  5. Post offensive comments on the victim’s post.

From Victim’s Side:

  1. Open my post and try to block the attacker’s account to prevent them from posting offensive comments on my posts.
  2. As shown, it says: "Error performing query."

Proof of Concept Video

For a detailed demonstration, refer to the PoC video below:

Timeline

  • October 6, 2025: Reported
  • October 7, 2025: Triaged
  • October 8, 2025: Fixed
  • November 3, 2025: Bounty awarded

Follow Me:

Comments

Post a Comment

Popular posts from this blog

Critical Privilege Escalation Vulnerability in Teleport ($21,000)

Teleport | Report #2281075 | HackerOne Link to YouTube Video 259 #2281075 Copy report id Copy report id access list owner can escalate his role to the highest roles Add Hacker summary Timeline · export moaz219 submitted a report to Teleport . December 11, 2023, 6:28pm UTC Menu Menu Summary: Go to [your-domain.teleport.sh/web/accesslists]. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role. Add a user as the Access List Owner. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating their own account's role. This is a prohibited procedure, as stated here , that Owners are not able to control what roles and traits are granted by the Access List. Steps To Reproduce: From Organization Owner Account: Go to [your-domain.teleport.sh/web/accesslists]. Create a new access list. Add a user as List Owner. Add a role to "R...
Post a Comment
Read more

Facebook SMS-based Two-Factor Authentication Bypass ($2,500 Bounty)

Vulnerability Report - Meta Bug Bounty Program Hello, Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows attackers to disable SMS-based Two-Factor Authentication for the victim's Facebook account. Prerequisites for Understanding the Vulnerability To understand this vulnerability, it's necessary to understand a few key concepts first. 1. Account Center: The Account Center, provided by Meta, offers users a unified interface to manage and integrate their experiences across Facebook, Instagram, and other Meta services. It centralizes settings, permissions, and account data management, streamlining the handling of multiple linked accounts under the Meta umbrella. For more information about the Account Center, you can visit this page . 2. Facebook SMS-based Two-Factor Authentication: On Facebook, if you have a phone number linked to your account and have SMS-...
Post a Comment
Read more

Authentication Bypass Leads to Unauthorized Data Access for Linked Facebook, Instagram, and Meta Accounts ($5000 Bounty)

Vulnerability Report Hello, Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows attackers to gain unauthorized access to victims' account data, affecting Meta's primary technologies (Facebook, Instagram, and Meta accounts). To understand this bug, it's essential to grasp what is the Account Center. The Account Center, provided by Meta, offers users a unified interface to manage and integrate their experiences across Facebook, Instagram, and other Meta services. It centralizes settings, permissions, and account data management, streamlining the handling of multiple linked accounts under the Meta umbrella. For more information about the Account Center, you can visit here . Sensitive Data Transfer Feature One of the features of Account Center is the ability to download or transfer the data of your accounts, including those of other linked accounts. This data is extremely sensitive a...
Post a Comment
Read more