Hi All,

I am Vivek. This is about a bug that I found in the Facebook private events. I reported almost 7 issues in the month of January and February this year but all the reports were closed as either informative or duplicate. So after reading some write-ups I decided to check the Facebook events and luckily I was able to find some logical issues in that area.

Facebook events have an option to hide the members list to protect the user privacy. I tried different cases and monitored many web requests to check if there is an endpoint that is leaking the members information. Logical bugs are all about observing and thinking out of box. I remembered that when a member is not present in a Facebook group and if we share their profile URL as a comment or post inside that group, Facebook will show the link with a CSS class named ‘WeakReference’ to inform the members that the specific user is not a member of that group.

I tried the same in the private event too and found the similar behavior. So even if the member list is hidden, an attacker is able to find if someone is a member of the event by just sharing the victim’s profile in any comment or as a new post. I reported it to the security team immediately.

Facebook rewarded me for finding this logical issue.