I found an unintended behaviour in the FBLite app where the page admin could be easily exposed while adding a photo to his story . When the Page sends a photo message through FBLite then we can observe the Add to story options there . While clicking on it , the admin is getting disclosed . The usual behaviour should be that while clicking on the add to story options , the photo should be added to the page’s story but in this scenario the photo is being added to the page_admin’s personal id which leads to admin disclosure.
It leads to page admin disclosure which is a serious issue.
A page admin will post a story to their personal account instead of the Page when messaging from the Page inbox on FBLite and hitting “Add to Story”
1.UserA sends a photo to UserB through the page.
2. UserA clicks on Add to story option
3. The photo is added to the UserA’s story instead of Page’s story which is leading to page admin disclosure.
I don’t have a POC video available as I sent them the steps only and they were able to reproduce with that much of information only .
This writeup is a bit type of non technical but I hope you all are able to understand the bug and enjoy the writeup .
I can’t describe my happiness that I got after receiving this awesome notification . I was finally able to buy an awesome Laptop with the help of this bounty from Facebook . So I thank Facebook Security team for this wonderful experience . I was like this to myself.
Finally I got Listed in the Hall Of Fame of Facebook too due to the bug reports that I sent to Facebook .
I still have a lot to learn in this journey of bug hunting and this motivated me to keep continuing the journey . :)
Thanks a lot to everyone and very special thanks to beloved Ashok dai .
Follow Infosec Writeups for more.