How I made my first $$$ from finding a bug in Facebook

Aayush Pokhrel
Aug 21, 2019 · 2 min read

One day I decided to search bug in Facebook and i choose Facebook lite application to find bug and after some hours i got one small issues in Facebook lite application. The issue was admin can’t delete conversation of users using Facebook lite who send message in there page. First i thought this is not security bug later i thought that this is really a privacy related bug because admin and users can talk there private stuffs in page. If admin can’t delete that conversation then this is really a security bug in Facebook lite, So i report to Facebook and got rewarded from Facebook.

Vulnerability Type: Privacy / Authorization

Product Area: Android

Title: “Conversation can’t be delete of user in page using Facebook lite”

Vulnerability Description:

An admin can’t delete the conversation of user using Facebook lite.

Impact of the Vulnerability:

Everyone need privacy and this is not maintain in Facebook lite admin can not delete the conversation of user. (epic impact) :D :D

Steps I proceed to reproduce this issue:

  1. Login user A (normal user) from one device,

2) Login user B in Facebook lite ( page admin )from another device,

3)Send message to user B (page admin),

4) user B will get notification in Facebook lite,

5) and user B open that chat and try to delete that conversation but it will show error.

Image for post
Image for post

Timeline:

Initial Report:- July 12,2019

Reproduce:- July 16,2019

Triaged:- July 17,2019

Fixed:-July 29,2019

Fixed Confirmed:- July 29,2019

Awarded($$$):- August 15,2019

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store