My first Bug report at Facebook 2021

Today I want to share my story how I was rewarded $xxx from Facebook. I started hunting a bug this February 2021 when I see it to one member of group that he will be awarded by doing that things. But in actual hunting, I realized that It’s not easy like I think. I submit a reports in Bugcrowd and HackerOne but my reports is Informative and the one is duplicate. It’s not easy for beginners so I always reading write-ups and watching in Youtube. Until I read a write-ups of bug in Facebook and that’s it. For those who didn’t already know, Facebook can award you if you found a bug that may affects to Privacy of it’s user and award can be high if you will find a High risk bug.

Since I always deactivate my Facebook account and I always used only is the Messenger app, It brings me to my first bug bounty in Facebook. Through Facebook Messenger a deactivated Facebook account can able to send message to any Facebook user and Instagram user. In searching bugs in both application I found that if the Facebook is deactivated, Instagram user can't block it.

Title: Instagram User was Unable to Block deactivated Facebook account on cross-app communication

Steps to reproduce:

1. Deactivate your Facebook account and use Messenger application
2. Through Messenger send a message to any Instagram user except to Instagram account that connected to your Facebook account.
3. From Instagram app, you can send and receive a message from Deactivated Facebook account but you can’t block that Facebook account.

PoC link: https://youtu.be/et7yC6ENqRs

I have some tips for beginners or new to Facebook bug bounty program. This is based on my experienced.

1. Always update your application before you starts hunting.
2. If you know that you find a bug. Test it multiple times before doing a write-ups.
3. Always provide PoC even your bug is easy to reproduce.
4. Be nice to security team.

And last don't give up, I failed multiple times before I get my first bug bounty but I considered myself as lucky because 2 months in hunting bug and almost 1 month in Facebook bug bounty program is too soon for me to be awarded.

Edited:

Special thanks to Admin Rien/Rena of PHU IV and Pinoy Info Sec.

Timeline Review:
March 6, 2021 - Initial report
March 10, 2021 - Needs a PoC
March 11, 2021 - I sent PoC
March 17, 2021 - I conduct a test to different account and I sent again the 2nd PoC.
March 18, 2021 - Triaged
March 25, 2021 - Fixed
March 31, 2021 - Bounty awarded

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store