My Second Bounty OF $$$$ From Facebook

Aashish Kunwar
3 min readJun 11, 2021

Summary:

I’m back with a new write-up, detailing how I got second bounty from Facebook by reporting a functional security issue. In this write-up, I’ll be demonstrating the challenge I faced when trying to unlink a page from a newly featured public group using both page and group settings.

Story about how this happened?

Hi, I am Aashish from Dhangadhi, Nepal. This is a short blurb about a bug I found on Facebook recently, on Thursday, May 20, in the evening around 9 pm.

At that time, I was not actively looking for any security/privacy issues on Facebook professionally. As a Class 11 student serving as the admin of Nepal Educational Hub (NEH), one of the largest educational communities in Nepal, we’ve created this group to make Facebook a better platform for learning and studying in Nepal, with the common motto of ‘Helped and Be Helped.’ The group is based on up to +2 level education, where we exchange learning materials. For IOE and IOM Entrance Preparation, I created a subgroup of NEH called ‘IOE and IOM Entrance Preparation Booster.’ After creating the group, I linked the Nepal Educational Hub page with the group.

I wanted to upload a group cover photo from the page profile, but I was unable to interact as the page. Initially, I thought it might be an intended feature since the group had new features. So, I tried to unlink the page, but I couldn’t do it through the pages and group settings. I was flabbergasted. Initially, I considered it might be a glitch or network problem. After waiting for a moment, I tried again, but the same problem persisted.

Then I was sure this might be an issue. I also checked from other pages and groups, and the issue was consistent. Finally, my cloud of confusion cleared off when I confirmed that it was indeed a bug. I reported it right away, and the bug was triaged in less than 5 hours.

What I have submitted:

Title: PAGE CANNOT BE UNLINKED FROM NEW FEATURED PUBLIC GROUP.

Vuln Type: Identification / Deanonymization

Product Area: Facebook — Android , Facebook Web : Groups

Details: Once linked, a page cannot be unlinked from a new featured public group. Additionally, users cannot interact as a page in the group.

Impact: Page unlinking and Page interaction errors

Repro steps:

Setup:

Users: AdminA , GroupA , PageA

Environment: AdminA is UserProfile, GroupA is a Public Group, and PageA is a PageProfile. AdminA is the admin of GroupA and PageA.

Steps:

  1. AdminA created GroupA.
  2. AdminA linked PageA with GroupA.
  3. There is no option to interact as PageA in GroupA.
  4. AdminA tried to unlink GroupA and PageA from both Page settings and Group Settings, but the unlinking was unsuccessful.

Timeline:

Report submitted to Facebook Security Team: Thursday, 20 May 2021 at 10:56 pm

Triaged: Friday, 21 May 2021 at 03:53 am

Fixed: Thursday, 27 May 2021 at 08:18 pm

Confirmation of Fix: Thursday, 27 May 2021 at 08:53 pm

Rewarded: Friday, 11 June at 08:30 AM

Thanks for reading :)

--

--