The Tale of 2nd Bounty($500) From Facebook

“Hello everyone , its me Shuvam a tech enthusiastic kid. I hope you all are fine in this pandemic situation.This is the tale of how I accidentally managed to get 2nd bounty from Facebook.”

Story about how this happened?

I always have a habit of reading medium articles and infosec materials shared in facebook .When I didn’t used to get enough time to complete the article or posts I used to save them .

I had made a good collection of learning materials doing this which could be accessible from Saved Collection feature in Facebook Lite.But one morning I noticed that I was unable to access the whole collection of learning materials and got a error like this.

Then I thought for a while and an evil thought came in my mind.As an attacker I logged in with my test account and created a post .Then as a victim I saved the post to one of the collection.Then as an attacker from my test account I changed the privacy of the post to “Only Me”.

Now , as a victim I tried to access the collection of photo we just saved.”Doing so I was unable to access not only the photo which the attacker changed the privacy options , but also posts which were saved earlier by the victim.This made the whole collection of posts inaccessible” which is a privacy issue .

So , I immediately created a short POC regarding the issue and sent to Facebook Security Team .The issue was fixed in short time and I was awarded a reward of $500 .

Report Timeline :

Initial Report sent : Tuesday, April 27, 2021

Reproduced and Triaged : Wednesday, April 28, 2021

Fixed : Wednesday, May 5, 2021

Confirmation Of Fix : Wednesday, May 5 2021

Reward awarded : Thursday, June 3 ,2021

Thank you for giving some time reading my write up! See you in the next write up!