Skip to main content

Facebook Anonymous Post Owner Disclosure

Vulnerability Report - Meta Bug Bounty Program

Hello,

Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows an attacker to disclose the author of anonymous posts or comments in Facebook Groups.

Description of Vulnerability:

  1. In Facebook groups, you can write an anonymous post or comment, and therefore no one should know your identity except the group admins.
  2. If you make an anonymous post or comment, and then someone blocks you and writes a comment on your post or comment, and you reply to them anonymously, their mention in your reply will appear as plain text instead of the normal blue clickable link.

Exploitation Scenario:

  1. The victim publishes an anonymous post or comment inside a Facebook group.
  2. The attacker suspects that a specific group member is the owner of this anonymous post or comment.
  3. The attacker blocks the suspected member and then writes a comment on the post/comment asking them something so they will reply.
  4. If attacker's mention in the victim’s reply appears as a normal blue clickable link, then the suspected member is not the owner of the anonymous post/comment.
  5. If attacker's mention in the victim’s reply appears as a plain text (not a clickable link), then the suspected member is the owner of the anonymous post/comment.

Impact of the Vulnerability:

This vulnerability completely breaks the purpose of the Anonymous Post/Comment feature in Facebook groups. By exploiting the difference in how mentions are rendered (blue clickable link vs. plain text), an attacker can reliably deanonymize the author of any anonymous post or comment.

This leads to a serious privacy violation because:

  • The feature explicitly promises that only group admins should be able to know the identity of anonymous authors.
  • Attackers can expose the identities of users posting in sensitive groups (e.g., political, mental health, or support groups).
  • It can put victims at risk of targeted harassment, doxxing, or real-world harm in cases where anonymity is crucial for safety.

Therefore, the vulnerability undermines user trust in Facebook’s privacy guarantees and poses a significant security and privacy risk.

Steps to Reproduce:

From Victim's Side:

● Go to a Facebook group and post an anonymous post.

From Attacker’s Side:

  1. I suspect that the owner of this post is a specific member of the group.
  2. Block the suspected member.
  3. Write a comment on the post asking them something so they will reply to you.

From Victim's Side:

● Reply to the attacker’s comment.

From Attacker’s Side:

  1. If my mention in the victim’s reply appears as a normal blue clickable link, then the suspected member is not the owner of the post.
  2. If my mention in the victim’s reply appears as a plain text (not a clickable link), then the suspected member is the owner of the anonymous post.

● “As shown, my mention in the victim’s reply appears as plain text (not a clickable link), which means that the suspected member is the author of the anonymous post.”

Proof of Concept Video

For a detailed demonstration, refer to the PoC video below:

Timeline

  • September 14, 2025: Reported
  • September 16, 2025: Triaged
  • October 17, 2025: Fixed
  • October 29, 2025: Bounty Rewarded

Follow Me:

Comments

Post a Comment

Popular posts from this blog

Critical Privilege Escalation Vulnerability in Teleport ($21,000)

Teleport | Report #2281075 | HackerOne Link to YouTube Video 259 #2281075 Copy report id Copy report id access list owner can escalate his role to the highest roles Add Hacker summary Timeline · export moaz219 submitted a report to Teleport . December 11, 2023, 6:28pm UTC Menu Menu Summary: Go to [your-domain.teleport.sh/web/accesslists]. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role. Add a user as the Access List Owner. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating their own account's role. This is a prohibited procedure, as stated here , that Owners are not able to control what roles and traits are granted by the Access List. Steps To Reproduce: From Organization Owner Account: Go to [your-domain.teleport.sh/web/accesslists]. Create a new access list. Add a user as List Owner. Add a role to "R...
Post a Comment
Read more

Facebook SMS-based Two-Factor Authentication Bypass ($2,500 Bounty)

Vulnerability Report - Meta Bug Bounty Program Hello, Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows attackers to disable SMS-based Two-Factor Authentication for the victim's Facebook account. Prerequisites for Understanding the Vulnerability To understand this vulnerability, it's necessary to understand a few key concepts first. 1. Account Center: The Account Center, provided by Meta, offers users a unified interface to manage and integrate their experiences across Facebook, Instagram, and other Meta services. It centralizes settings, permissions, and account data management, streamlining the handling of multiple linked accounts under the Meta umbrella. For more information about the Account Center, you can visit this page . 2. Facebook SMS-based Two-Factor Authentication: On Facebook, if you have a phone number linked to your account and have SMS-...
Post a Comment
Read more

Authentication Bypass Leads to Unauthorized Data Access for Linked Facebook, Instagram, and Meta Accounts ($5000 Bounty)

Vulnerability Report Hello, Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows attackers to gain unauthorized access to victims' account data, affecting Meta's primary technologies (Facebook, Instagram, and Meta accounts). To understand this bug, it's essential to grasp what is the Account Center. The Account Center, provided by Meta, offers users a unified interface to manage and integrate their experiences across Facebook, Instagram, and other Meta services. It centralizes settings, permissions, and account data management, streamlining the handling of multiple linked accounts under the Meta umbrella. For more information about the Account Center, you can visit here . Sensitive Data Transfer Feature One of the features of Account Center is the ability to download or transfer the data of your accounts, including those of other linked accounts. This data is extremely sensitive a...
Post a Comment
Read more