Page Admin Disclosure when Posting a Reel

Hello , I’m Syd from the Philippines. Today I would like to share one of my findings in Meta Bug Bounty Program. The bug that I found is pretty simple and help me earn 1000 USD.

It was just a normal day and I was checking in on my Facebook account watching random videos. It came up on my mind to check if there is a new feature in FB4A (Facebook for Android). So I noticed, that there is a new feature called Reels.

Reels were first introduce by Facebook (now Meta) in September 29 2021 in the US Alone. Reels on Facebook can consist of music, audio, effects and more. You can find them in News Feed or in Groups, and when viewing a reel on Facebook, you can easily follow the creator directly from the video, like and comment on it, or share it with friends.

However, in this current year it was launched globally in 150 countries. So after seeing this feature, I quickly open my laptop and fire up my burpsuite and checking if there is an endpoint that would leak the admin id of the page. Unfortunately I have found nothing, but I did not give up. I remember that Facebook will pay you if you found a Voice Confusion issue(where the identity under which the admin is acting is unclear). Luckily I noticed that one of my test group has the Reels feature (I also checked with other account but the reels is not present there, seems it is limited on small market).

Now, here is the interesting part, I use the voice switcher to act as page and then quickly create a sample reel. After publishing the reel, it was posted as admin instead of page. Then I quickly made a report and Meta Team triaged my report.

In a Facebook group member with linked pages can choose how to interact its either admin or page profile. The vulnerability is on the Facebook Reel, whenever the user switch the voice as page using the voice switcher in a FB group and publish a Reel, it will be posted as admin personal voice.

Steps to reproduce:

1. Navigate to your group
2. Switch your voice as page using the voice switcher floating button
3. Open the composer then reel
4. Create a 3 seconds reel or more then click “share reel”
5. You will notice that the reel is posted as admin profile instead of page (even you set the voice as page in the first place)

Sweet message from Meta Team 😍

Voice Related Issue is eligible at that time of the report. Today, Meta will no longer reward such issue.

Found multiple voice related issues but Meta closed it as informative since its no longer eligible.

Make sure to follow me on my Twitter Account.

Thanks and Enjoy Hacking😊



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syd Ricafort

Syd Ricafort

/* Security Researcher && Programmer */