How I Earned My First $$$$ Bounty by Finding a Bug in Facebook

Aashish Kunwar
3 min readApr 17, 2021

Hi, I am Aashish Jung Kunwar from Dhangadhi, Nepal. I am a Grade 11 student. Today, I’ll be sharing the process that led to my discovered bug qualifying for the Facebook Bug Bounty Program, earning me a $1000 reward from the Facebook Security Team. This accomplishment also made me one of the youngest Nepalis to receive a bounty reward from Facebook.

How I got my 1st bounty:

After the first wave of the Corona pandemic, I gained access to using mobile phones. I started using Facebook and met Saurav Subedi there. He approached me to be an admin of Nepal Educational Hub on Chaitra 11, 2076 (24 March 2020). During the peak of the pandemic when schools, colleges, and educational institutions were closed, Nepal Educational Hub became a platform to foster learning. We began sharing notes, solutions, and problems with the common motto of ‘Help and Be Helped.’

While managing the group and page, I encountered errors but wasn’t aware of the bug bounty platform initially. Later on, I learned about it from Saugat Pokharel. I reported my first bug on November 24, 2020, and it went duplicate. I felt disappointed to know that my first report had gone duplicate, but I persisted in reporting. Despite several duplicates, I kept at it. Finally, I identified a unique bug and was rewarded with a bounty of $1000 from Facebook.

About the bug:

There was a Personal and Page Profile Interaction error in a Facebook group, specifically, the voice selector failed to work correctly. I discovered a technical security issue while commenting via my personal profile, which was linked to the Facebook page.

What I have submitted :

Title : COMMENT GOES FROM PAGE PROFILE INSTEAD OF PERSONAL PROFILE.

Vuln Type: Identification / Deanonymization

Product Area :Facebook — Android

Complete Details :

UserOne, a member of GroupOne, has both a personal profile and a page (PageOne). When UserOne comments on a post in GroupOne, the comment is attributed to PageOne instead of UserOne.

Impact:

Interaction occurs through the page profile instead of the personal profile.

Repro steps:

Setup:

  • Users: UserOne (Personal profile), PageOne (Page), GroupOne (Group); UserOne is the owner of PageOne.
  • Environment: UserOne, a member of GroupOne, and PageOne, also a member of GroupOne, are interacting with a post in GroupOne.
  • App version: Facebook for Android Steps:

Steps:

  1. Logged in to Facebook as UserOne.
  2. Posted in GroupOne, interacting as UserOne.
  3. Random users comment on that post. When UserOne attempts to respond by clicking on the notification (‘Someone commented on your post in GroupOne’), the comment goes through PageOne’s profile. Additionally, while commenting randomly on the post, the comment also goes through PageOne.

Timeline:

Initial report: 18 December 2020

Reproduced: 22 December 2020

Triaged: 23 December 2020

Fixed: 24 March 2021

Confirmation of Fix : 24 March 2021

Rewarded {$$$$}: 9 April 2021

Thanks for reading!

--

--