My Second Bounty OF $$$$ From Facebook

Summary

I am back with a new write up. This write up is about how I got my second bounty from Facebook for reporting a functional security issue. In this writeup , I will be showing how I was unable to unlink page from new featured public group from both page and group settings.

Story about how this happened?

Nepal Educational Hub (NEH)

PAGE CANNOT BE UNLINKED FROM NEW FEATURED PUBLIC GROUP.

Vuln Type: Identification / Deanonymization

Product Area :Facebook — Android , Facebook Web : Groups

Complete Details :

Once linked page cannot be unlinked from new featured public group. And , User cannot interact as page in group.

Impact:

Page unlinking and Page interaction errors

Repro steps:

Setup

Users: AdminA ,GroupA ,PageA

Environment: AdminA is UserProfile, GroupA is Public Group and PageA is PageProfile. AdminA is admin of GroupA and PageA.

Steps

  1. AdminA created GroupA.
  2. AdminA linked PageA with GroupA.
  3. There is no option to interact as PageA in GroupA.
  4. Then, AdminA tried to unlink the GroupA and PageA from both Page settings and Group Settings.
  5. The unlinking was unsuccessful.

Timeline :

Report submitted to Facebook Security Team : Thursday, 20 May 2021 at 10:56 pm

Triaged: Friday, 21 May 2021 at 03:53 am

Fixed: Thursday, 27 May 2021 at 08:18 pm

Confirmation of Fix :Thursday, 27 May 2021 at 08:53 pm

Rewarded :Friday, 11 June at 08:30 AM

Thanks for reading :)

If you wish to connect with me then I am available on Facebook and Instagram.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store