How I made my first $$$ from finding a bug in Facebook

Aayush Pokhrel

One day I decided to search bug in Facebook and i choose Facebook lite application to find bug and after some hours i got one small issues in Facebook lite application. The issue was admin can’t delete conversation of users using Facebook lite who send message in there page. First i thought this is not security bug later i thought that this is really a privacy related bug because admin and users can talk there private stuffs in page. If admin can’t delete that conversation then this is really a security bug in Facebook lite, So i report to Facebook and got rewarded from Facebook.

Vulnerability Type: Privacy / Authorization

Product Area: Android

Title: “Conversation can’t be delete of user in page using Facebook lite”

Vulnerability Description:

An admin can’t delete the conversation of user using Facebook lite.

Impact of the Vulnerability:

Everyone need privacy and this is not maintain in Facebook lite admin can not delete the conversation of user. (epic impact) :D :D

Steps I proceed to reproduce this issue:

  1. Login user A (normal user) from one device,

2) Login user B in Facebook lite ( page admin )from another device,

3)Send message to user B (page admin),

4) user B will get notification in Facebook lite,

5) and user B open that chat and try to delete that conversation but it will show error.

Timeline:

Initial Report:- July 12,2019

Reproduce:- July 16,2019

Triaged:- July 17,2019

Fixed:-July 29,2019

Fixed Confirmed:- July 29,2019

Awarded($$$):- August 15,2019

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade