Facebook has addressed a security issue last week which exposed the page admin accounts. The bug was exploited in the wild in the attacks against several high-profile pages.
The page admin accounts are anonymous unless the Page owner opts to make the admins public. Due to presence of the bug, anyone was allowed to reveal the accounts running a Page.
The “View edit history” in Facebook lets Page admins to view any activity related to pages that includes the name of users that made changes to a post. The bug allowed criminals to reveal the account of the individual who made the changes, including page admins, with serious privacy implications.
It was found that on message boards like 4chan, people started posting screenshots that doxed the accounts behind prominent pages. It was easy to exploit the bug as by opening a target page and checking the edit history of a post, it was possible to view the account or accounts that made edits to each post.
Facebook immediately addressed the issue after it was alerted by a security researcher.
The list of the pages targeted by hackers included the ones belonging to President Donald Trump, the street artist Banksy, Russian president Vladimir Putin, former US secretary of state Hillary Clinton, Canadian prime minister Justin Trudeau, the hacking collective Anonymous, climate activist Greta Thunberg, and the rapper Snoop Dogg, among others.
A similar vulnerability was discovered on Facebook in February 2018 by the security researcher Mohamed Baset.
He explained that the flaw was a logical error that he found after receiving an invitation to like a Facebook page on which he had liked a post. The source code of the email sent by the social network was analyzed by the researchers and found that it included the name of the administrator of the page and other info.