Luckily , I managed somehow (After a lot of frustrations of not able to find any valid bugs after the 1st one ) to find a bug in Facebook Lite app which would easily Disclose the admin_id of any page .
I was just trying to test each and every function that the FBLite app have and I found one suspicious behaviour which leads to Page Admin Disclosure. It is fixed currently so I’m disclosing it publicly .
I will write the description and steps to reproduce that I sent to facebook now :
Description : When the page messages a fan/follower of the page then the messages are sent through page’s id which is the normal behaviour . Now I found a bug that when the page admin goes to his page inbox in fblite and then send a photo to any fans/follower of the page , then the photo is sent through page’s admin’s personal profile id instead of page id . This bug is leading to Page admin disclosure.
1. User A goes to his PageX’s inbox through fblite and sees UserB’s message thread
2. UserA messages to User B
3.User B receives the text message done by UserA through page’s id
4. UserA now sends photo to UserB through the page inbox.
5. UserB receives the photo message through UserA’s personal profile id instead of the page id which leads to page admin disclosure.
POC is here : https://drive.google.com/file/d/1F9tkf1AU33vTsrk_PE09lLmU13wB89uD/view?fbclid=IwAR2fuYeh80vFu9nfvPINdvyjh_ER9pjqO267nPW5OhgqB-KhCWhOz0H8fCQ
Report Submitted : June 25, 2020
Pre-triage : June 29, 2020
Triaged : June 29, 2020
Confirmation of Fix : July 7, 2020
Finally Reward awarded : July 16 , 2020
The flaw in the sending photo feature through FBLite made me find this bug without using any tools . I’m very grateful to facebook for rewarding me with a nice bounty amount for this logical bug .
I don’t know how to express my happiness about my first 4 digit bounty in Facebook . I was really very happy when I received this bounty notification . I was like :
I still have a lot to learn in this journey of bug hunting and this motivated me to keep continuing the journey . :)
Thanks a lot to everyone and very special thanks to our beloved Ashok dai .
Follow Infosec Writeups for more.