好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。用户已经提供了文章的详细内容,包括摘要、描述、参考资料、环境、用户、前提条件、步骤和影响等部分。 首先,我要理解文章的主要内容。文章讨论的是Facebook的一个功能漏洞:虽然官方文档说明只有朋友才能被添加为活动的共同主持人,但实际上在群组活动中,任何群组成员,即使不是创建者的Facebook好友,也可以被添加为共同主持人。这导致了权限分配的问题,可能带来意外的管理权限。 接下来,我需要将这些信息浓缩到100字以内。要抓住关键点:功能漏洞、官方文档与实际操作不符、群组成员可以成为共同主持人、可能引发的问题。 然后,我要确保语言简洁明了,避免使用复杂的术语。同时,不需要使用“文章内容总结”这样的开头词。 最后,检查字数是否符合要求,并确保信息准确无误。 </think> Facebook允许群组成员成为活动共同主持人,即使他们不是创建者的Facebook好友。这与官方文档规定不符,并可能导致意外权限分配。 2026-3-14 04:22:13 Author: infosecwriteups.com(查看原文) 阅读量:10 收藏
Summary
It is possible to add users who are not friends as co-hosts in group events, despite Facebook documentation stating that only friends can be added as co-hosts. The system only validates whether the user is a member of the group, but does not enforce the friendship requirement.
Description
According to Facebook’s official documentation:
“You can only add Facebook friends as co-hosts.”
However, when creating an event inside a group, the application does not validate whether the selected co-host is a friend of the event creator. Instead, the system only checks whether the user is a member of the group.
As a result, any group member — including users who are not friends with the event creator — can be added as a co-host to the event. This behavior contradicts the documented restriction and may lead to unintended privilege assignment within group events.
Reference
Facebook Help Center documentation states that only friends can be added as co-hosts:
Get Abu Idris Al-Muhaqqiq’s stories in your inbox
Join Medium for free to get updates from this writer.
https://web.facebook.com/help/215235325174804
Environment
Browser: Firefox
Operating System: Windows
Users
- User A — Group Owner / Event Creator
- User B — Group Member (Not friends with User A)
Preconditions
- User A and User B are not Facebook friends
- User B is a member of the group
Steps to Reproduce
1. User A creates a Facebook group.
2. User B visits the group and joins it.
3. User A creates a new event inside the group.
4. While creating the event, User A adds User B as a co-host.
5. Observe that the system allows adding User B as a co-host even though they are not friends with User A.
Impact
This issue allows group members who are not friends with the event creator to obtain co-host privileges, which may allow them to:
- Edit event details
- Manage invitations
- Potentially moderate event interactions
- Gain elevated control over the event
Since co-hosts have administrative capabilities over the event, the absence of a friendship validation may allow unintended users to obtain management privileges.
While the behavior may be intentional for group contexts, it contradicts the official documentation and can cause confusion and unintended permission assignment.
Timeline
November 28, 2025: Submit report
November 28, 2025: Initial evaluation
Hi Abu Idris,
A member of Meta’s security team has seen your report and performed an initial evaluation. We will get back to you once we have more information to share.
Thanks,
MetaSecurity
March 11, 2026: N/A
Press enter or click to view image in full size
如有侵权请联系:admin#unsafe.sh