The Tale of 2nd Bounty($500) From Facebook
“Hello everyone , its me Shuvam a tech enthusiastic kid. I hope you all are fine in this pandemic situation.This is the tale of how I accidentally managed to get 2nd bounty from Facebook.”
Story about how this happened?
I always have a habit of reading medium articles and infosec materials shared in facebook .When I didn’t used to get enough time to complete the article or posts I used to save them .
I had made a good collection of learning materials doing this which could be accessible from Saved Collection feature in Facebook Lite.But one morning I noticed that I was unable to access the whole collection of learning materials and got a error like this.
Then I thought for a while and an evil thought came in my mind.As an attacker I logged in with my test account and created a post .Then as a victim I saved the post to one of the collection.Then as an attacker from my test account I changed the privacy of the post to “Only Me”.
Now , as a victim I tried to access the collection of photo we just saved.”Doing so I was unable to access not only the photo which the attacker changed the privacy options , but also posts which were saved earlier by the victim.This made the whole collection of posts inaccessible” which is a privacy issue .
So , I immediately created a short POC regarding the issue and sent to Facebook Security Team .The issue was fixed in short time and I was awarded a reward of $500 .
Report Timeline :
Initial Report sent : Tuesday, April 27, 2021
Reproduced and Triaged : Wednesday, April 28, 2021
Fixed : Wednesday, May 5, 2021
Confirmation Of Fix : Wednesday, May 5 2021
Reward awarded : Thursday, June 3 ,2021
Thank you for giving some time reading my write up! See you in the next write up!