My Second Bounty OF $$$$ From Facebook

Summary

I am back with a new write up. This write up is about how I got my second bounty from Facebook for reporting a functional security issue. In this writeup , I will be showing how I was unable to unlink page from new featured public group from both page and group settings.

Story about how this happened?

Hi, I am Aashish from Dhangadhi, Nepal. This is a short blurb about a bug I have found on Facebook recently on Thursday May 20, evening around 9 pm.

Actually at that time I have not been looking any security/privacy issue on Facebook professionally. I am a student of Class 11 who is serving as the admin of Nepal Educational Hub (NEH) , one of the largest educational community of Nepal .We have created this group as to make Facebook a better platform to learn and study in Nepal with the common motto of “Helped and Be Helped”. The group is based up to +2 level which we have been exchanging learning materials. For IOE and IOM Entrance Preparation, I have created a subgroup of NEH viz. IOE and IOM Entrance Preparation Booster. After I created the group , I linked Nepal Educational Hub page with the group.
I wanted to upload group cover photo from page profile but I was unable to interact as page . First of all I thought, it might be an intended feature since the group has new features. So , I tried to unlink the page. I couldn’t unlink page from group through pages and group settings. I was just flabbergasted after all. I thought it might be a glitch and network problem first off. So , I tried after jiffy. Again same problem materialized.
Then I was sure this might be an issue. Then I also checked from another pages and groups . Again , got the same. Finally my cloud of confusion cleared off with the fact that it is a bug with Big Yes and I reported right away and the bug was triaged in less than 5 hrs.

What I Submitted :

Title: PAGE CANNOT BE UNLINKED FROM NEW FEATURED PUBLIC GROUP.

Vuln Type: Identification / Deanonymization

Product Area :Facebook — Android , Facebook Web : Groups

Complete Details :

Once linked page cannot be unlinked from new featured public group. And , User cannot interact as page in group.

Impact:

Page unlinking and Page interaction errors

Repro steps:

Setup

Users: AdminA ,GroupA ,PageA

Environment: AdminA is UserProfile, GroupA is Public Group and PageA is PageProfile. AdminA is admin of GroupA and PageA.

Steps

  1. AdminA created GroupA.
  2. AdminA linked PageA with GroupA.
  3. There is no option to interact as PageA in GroupA.
  4. Then, AdminA tried to unlink the GroupA and PageA from both Page settings and Group Settings.
  5. The unlinking was unsuccessful.

Timeline :

Report submitted to Facebook Security Team : Thursday, 20 May 2021 at 10:56 pm

Triaged: Friday, 21 May 2021 at 03:53 am

Fixed: Thursday, 27 May 2021 at 08:18 pm

Confirmation of Fix :Thursday, 27 May 2021 at 08:53 pm

Rewarded :Friday, 11 June at 08:30 AM

Thanks for reading :)

If you wish to connect with me then I am available on Facebook and Instagram.

--

--

--

PEN WITH INFINITE INK!

Love podcasts or audiobooks? Learn on the go with our new app.

megaBONK 1-Click NFT Minting is Back Online

0.<Action Private Security Contract Proto Access subject for editing end all for the illegal…

How to Import Your Address from Trust Wallet to Metamask

{UPDATE} Black Friday 2016 Shopping Run Full Hack Free Resources Generator

Demystifying Zero Trust

A graphic containing the words “Zero Trust”.

MAIAR EXCHANGE — Internet-scale DeFi with an inexpensive fee structure

{UPDATE} The Game of Life 2 Hack Free Resources Generator

My Honeypot Experience

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aashish Kunwar

Aashish Kunwar

PEN WITH INFINITE INK!

More from Medium

Burp Suite Lab — Exploiting XXE to perform SSRF attacks | WalkThrough

Intigriti’s January 0122 XSS challenge Write Up

Tweet by @Intigriti

Where do I find vulnerabilities -How to search for known exploits like a pro

My write-up in hacking IBM’s administration panel and getting SQLi on it