Hi, I am Aashish Jung Kunwar from Dhangadhi, Nepal. Today, I am back with a new write-up. The write-up is about how I earned my 3rd bounty after reporting a Functional security issue to the Facebook Security Team.
Proof Of Concept:
What I have submitted:
Title: ADMIN CANNOT REMOVE DEACTIVATE USER FROM GROUP CHAT
Product Area: FBLite
Complete Details: Admins of group chats cannot remove deactivated users.
Impact: Deactivated Facebook users with active Messenger accounts remain as group members permanently. Admins should have access to remove deactivated users too.
Users: UserB, GroupA, AdminA.
Environment: UserB and AdminA are members of GroupA where AdminA is an admin. UserB deactivated Facebook but is using Messenger.
App version: Facebook Lite
1. AdminA attempted to remove UserB from GroupA, but the removal was unsuccessful.
They replied in less than 1 hour like this:
We’re having a hard time reproducing the issue described in your report. Please reply with reproduction instructions (images and video would be helpful). In our testing we were able to remove deactivated users, can you verify if this is still reproducible by creating a new group and adding few test accounts then trying to remove one of them.
I replied back with a reproduction video.
We still are unable to reproduce, in our testing the removal part works just fine in FBLite, we are using FBDL test accounts to reproduce. Could you specify which build version you have of FBLite and also which phone model/make you are using, and are you using test accounts or real accounts. If you can reproduce with FBDL test users, can you provide video PoC for that?
And, again they were unable to reproduce. Then, I was flabbergasted first off and I answered:
I have tried using test accounts too . Using test accounts, we cannot deactivate messenger only and if we want to reactivate messenger only , it automatically reactivates Facebook account . So , it is impossible to reproduce using test accounts .
App version : 253.0.0.8.119
Phone Model : Samsung Galaxy J4
They closed the report as informative because report didn’t meet bar for monetary reward :
Thanks for writing in.
We have discussed the issue at length and concluded that, whilst you reported a valid issue which the team may make changes based on, unfortunately your report falls below the bar for a monetary reward.
This is because the user still appears in the member list, therefore users in the chat can chose not send messages that they don’t want to be seen by that user. Note that if the user was hidden from the members list when they deactivated their account, that would have been a valid issue. In this case we consider this issue to be low impact and not eligible for a monetary reward.
I wish you luck in your continued bug hunting.
I wasn’t satisfied. Then, I answered:
The deactivated member can easily see every message in groups. They can chat in the group easily. They have only deactivated Facebook, not Messenger. That’s why no one can remove them from the group. So, it should be an issue with high impact. Furthermore, what if the deactivated user is an admin? The admin cannot be removed from the group. Isn’t this an issue with irremovable GroupChat admins and members?
Finally , they triaged the report:
Thank you for the additional explanation and thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you updated on our progress.
Then, I was delighted, anticipating that the issue would surely qualify for a bounty, and I replied:
Good to know the report is being sent to the appropriate product team for further analysis!
I am looking forward to hearing from the team for further updates soon.
We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not resolve this issue. We will follow up regarding any bounty decisions soon.
I can confirm that vulnerability seems to be patched in my side as well.
And, thank you for reply.
And, Finally the wait is over and they rewarded me bounty:
With $25 as bonus :
Timeline of report:
Initial Report: 7 June 2021
Closed as Informative: 8 June 2021(Because bug didn’t meet bar of monetary reward)
Triaged: 8 June 2021 (After Further discussion)
Fixed: 18 June 2021
Bounty Awarded: 23 July 2021