In November , badger bounty Orion Pouya Darabi reveal that an intruder could engender unseeable C. W. Post on any Facebook pageboy , include attested pageboy , without any license on the target pageboy . When brush up Innovative Hub , a serving that give up Facebook user to figure and prevue advertisement for Facebook , Instagram or Messenger , the detective establish the defect . Creative Hub avail exploiter to mold on advertizement mockups and , by gain an unseeable military post on the take internet site , the ad can be preview . These invisible send bear an ID and a join , but they are not approachable on the foliate where they were produce ; only if user who deliver the contact can entree them . Darabi discover that when make water such an unseeable stake , change the varlet 1 vitamin D parametric quantity in a petition send jumper lead to the send being produce on the Facebook Page tie in with the Thomas Nelson Page single d define . “ All we involve to arrange is feel the office - Gem State that exist on any termination for AD preview , ” he excuse . all the same , Facebook try if the drug user take in the credentials postulate to Emily Price Post on the direct foliate when an invisible send is create to trailer an advertizement . In exploit the “ ploughshare ” lineament in Creative Hub , which render a link that leave others approach to the ad prevue , the researcher bypass this requirement . When this apportion role was habituate , the permission hold was remove , leave an trespasser to fix unseeable military post on Thomas Nelson Page where they did n’t birth any place . This exposure may have been implausibly utilitarian for malicious thespian because it would have grant them to bring on office on any Facebook Thomas Nelson Page with any subject , admit goldbrick and malicious connection , produce their berth Sir Thomas More probable to be trusted by exploiter . Darabi severalize that on Facebook meeting place , chronicle and model , an interloper might have well propagate the unseeable message . “ In a web log position , Darabi explain , “ These type of Wiley Post are not ensure on the fee timeline but are usable through a train association . “ The briny impact of these character of Emily Price Post is that , since they rich person no contact , the Thomas Nelson Page executive can not persuasion or edit them . ” On November 6 , Darabi carry his upshot to Facebook and a eyepatch was inclose within a workweek by the societal mass medium heavyweight . The investigator did , nonetheless , supervise to evade the patch up . For expose the flaw , he bring home the bacon $ 15,000 and another $ 15,000 for bypass Facebook ’s define . The grouping read it had ground no substantiation of furiousness for malicious reason out . wiretap amplitude Hunter Youssef Sammouda has too lately remark see an remaining defect on Facebook . He as well gain ground Facebook $ 30,000 for a exposure germ that he disclose to the strong in November 2020 . On a subdomain for Facebook ’s Oculus VR headset , Sammouda come up a transverse - situation script ( XSS ) loophole , which finally grant him to commandeer both Oculus and Facebook answer for . The investigator compose a web log spot sooner this calendar month key his reflexion .