My Second Bounty OF $$$$ From Facebook

Aashish Kunwar
3 min readJun 11, 2021

--

Summary

I am back with a new write up. This write up is about how I got my second bounty from Facebook for reporting a functional security issue. In this writeup , I will be showing how I was unable to unlink page from new featured public group from both page and group settings.

Story about how this happened?

Hi, I am Aashish from Dhangadhi, Nepal. This is a short blurb about a bug I have found on Facebook recently on Thursday May 20, evening around 9 pm.

Actually at that time I have not been looking any security/privacy issue on Facebook professionally. I am a student of Class 11 who is serving as the admin of Nepal Educational Hub (NEH) , one of the largest educational community of Nepal .We have created this group as to make Facebook a better platform to learn and study in Nepal with the common motto of “Helped and Be Helped”. The group is based up to +2 level which we have been exchanging learning materials. For IOE and IOM Entrance Preparation, I have created a subgroup of NEH viz. IOE and IOM Entrance Preparation Booster. After I created the group , I linked Nepal Educational Hub page with the group.
I wanted to upload group cover photo from page profile but I was unable to interact as page . First of all I thought, it might be an intended feature since the group has new features. So , I tried to unlink the page. I couldn’t unlink page from group through pages and group settings. I was just flabbergasted after all. I thought it might be a glitch and network problem first off. So , I tried after jiffy. Again same problem materialized.
Then I was sure this might be an issue. Then I also checked from another pages and groups . Again , got the same. Finally my cloud of confusion cleared off with the fact that it is a bug with Big Yes and I reported right away and the bug was triaged in less than 5 hrs.

What I Submitted :

Title: PAGE CANNOT BE UNLINKED FROM NEW FEATURED PUBLIC GROUP.

Vuln Type: Identification / Deanonymization

Product Area :Facebook — Android , Facebook Web : Groups

Complete Details :

Once linked page cannot be unlinked from new featured public group. And , User cannot interact as page in group.

Impact:

Page unlinking and Page interaction errors

Repro steps:

Setup

Users: AdminA ,GroupA ,PageA

Environment: AdminA is UserProfile, GroupA is Public Group and PageA is PageProfile. AdminA is admin of GroupA and PageA.

Steps

  1. AdminA created GroupA.
  2. AdminA linked PageA with GroupA.
  3. There is no option to interact as PageA in GroupA.
  4. Then, AdminA tried to unlink the GroupA and PageA from both Page settings and Group Settings.
  5. The unlinking was unsuccessful.

Timeline :

Report submitted to Facebook Security Team : Thursday, 20 May 2021 at 10:56 pm

Triaged: Friday, 21 May 2021 at 03:53 am

Fixed: Thursday, 27 May 2021 at 08:18 pm

Confirmation of Fix :Thursday, 27 May 2021 at 08:53 pm

Rewarded :Friday, 11 June at 08:30 AM

Thanks for reading :)

If you wish to connect with me then I am available on Facebook and Instagram.

Bug Bounty
Facebook Bug Bounty
Infosec

--

--

Aashish Kunwar

Written by Aashish Kunwar

107 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams