How a simple bug in Facebook Lite let me win my first bug bounty from Facebook
--
This writeup is about an easy catch in Facebook Lite that led me to win a bug bounty from Facebook unexpectedly for the first time.
[Edit(2021): This actually became my 3rd valid bug report at the present according to the date of reporting because two previous reports before this got recognized as valid later on this year]
There’s a separate Newsfeed available for pages to interact with other pages and their posts independently. However, this option might not be available for all the users but it can be accessed anytime through this URL: ‘https://www.facebook.com/pageusername/news_feed’.
But the vulnerability is on the mobile platform of the same section. So, moving to mobile; Pages still get the separate section ‘Pages Newsfeed’ in the top bar or from the ‘more’ option inside the page in FB4A and FBLite too.
Now, At first, I began to look for admin disclosure vulnerability in the page news_feed on the Facebook app. Everything went smooth, I couldn’t find anything suspicious. But then I remembered that ‘Oh! Facebook Lite has that same Page News Feed option too’ so, I started looking it there. Suddenly; when I opened a photo from any one of the posts on the page news_feed and then commented in the post; then the comment went from the admin’s personal account instead of the page. (However, when commenting just from the outer interface without opening the media, the comment went from the page itself). This vulnerability was practically most effective with the posts containing multiple media (photos/videos) where pages can view the photos/videos one by one by clicking on it and then when they commented back, it used to go from Admin’s account. So, without any hesitation, I immediately reported it to Facebook with the title ‘Commenting on a post by opening it via page’s news-feed goes from a wrong actor (i.e. admin’s personal account)’ along with a short POC video (←click to see the video).
After several conversations, they replied claiming it to be fixed but it wasn’t properly fixed for the first time. I informed them about the remains. After some days, they rewarded me the bounty before a complete fix. So, they refrained me from disclosing any details of the report before it was fully resolved. Now, as the bug is patched already; here I am disclosing it under the responsible disclosure policy.
Timeline
Reported — Sunday, July 12, 2020
Pre-Triaged — Thursday, July 16, 2020
Triaged — Friday, 17 July 2020
Fix claim from their side — Saturday, 25 July 2020
Informed about incomplete fix— Saturday, 25 July 2020
Reply of Acknowledgement — Wednesday, 5 August 2020
Asked for an update — Sunday, 16 August 2020
Informed about the ongoing process — Wednesday, 19 August 2020
Bounty Rewarded without the fix — Friday, 28 August 2020
Refrained additionally for non-disclosure — Friday, 28 August 2020
Agreed, thanked & requested to update the hall-of-fame page — Friday, 28 August 2020
Listed in the Facebook hall of fame — Wednesday, 2 September 2020
Asked permission to disclose the bug as it got completely fixed — Monday, 28 September 2020
Permission granted with a final patch message — Wednesday, 7 October 2020
Thank you for reading this write-up about the simple vulnerability. If you have any suggestions/queries, I’m available on Facebook/ Instagram :)
