One day I decided to search bug in Facebook and i choose Facebook lite application to find bug and after some hours i got one small issues in Facebook lite application. The issue was admin can’t delete conversation of users using Facebook lite who send message in there page. First i thought this is not security bug later i thought that this is really a privacy related bug because admin and users can talk there private stuffs in page. If admin can’t delete that conversation then this is really a security bug in Facebook lite, So i report to Facebook and got rewarded from Facebook.
Vulnerability Type: Privacy / Authorization
Product Area: Android
Title: “Conversation can’t be delete of user in page using Facebook lite”
An admin can’t delete the conversation of user using Facebook lite.
Impact of the Vulnerability:
Everyone need privacy and this is not maintain in Facebook lite admin can not delete the conversation of user. (epic impact) :D :D
Steps I proceed to reproduce this issue:
- Login user A (normal user) from one device,
2) Login user B in Facebook lite ( page admin )from another device,
3)Send message to user B (page admin),
4) user B will get notification in Facebook lite,
5) and user B open that chat and try to delete that conversation but it will show error.
Initial Report:- July 12,2019
Reproduce:- July 16,2019
Triaged:- July 17,2019
Fixed Confirmed:- July 29,2019
Awarded($$$):- August 15,2019