Hello Everyone, This is Rajiv Gyawali from Butwal, Nepal. This is a story of one of my finding on facebook.
Story : I was reading writeups of facebook bug bounty and came to a writeup which was about being unable to remove member from facebook event, The circumstances were “Invited user blocks owner of event”, I tested the same scenario at first but couldn’t reproduce it, Later i went to one of my test group and created an event in normal scenario(I thought it to be a normal scenario at first), and tried to remove a member from that event, i was unable to remove that member from group, I became happy with the thought like…ohhhhh buggy…thing :)
I tested that issue in several groups, There comes some disappointment, I was unable to reproduce it in some groups, i was very unsure whether to report that issue or not as there was a risk of fb team not reproducing it, i reported it anyway.
As expected, facebook team could not reproduce the issue, i myself was confused about the reproduction scenario of bug(So that was fair reply from facebook security :D), I again started testing for that issue from zero level, And…finally figured out the scenario required for the reproduction of issue…. Big relief :P :P
Actually, To reproduce that issue following Scenario was required :
So, I sent them with the additional information required to reproduce the issue, and they were able to reproduce the issue (PoC : https://youtu.be/MhC97tJxk0Q )
Timeline :
Report sent — 17th Sep 2021
Initial response from facebook — 22 September 2021 (Unable to reproduce)
Sent with additional info and scenario — 23rd September 2021
Reproduced — 24th September 2021
Triaged — 29th September 2021
Bounty Rewarded — 7th October 2021
Fixed and Confirmed — 21th November
This issue however was still reproducible in FB4A, may exist even now, but facebook team said they don’t accept this sort of issues in FB4A.
Thank you for reading to the end, Let’s get connected here Rajiv Gyawali
From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!