The story of My First $xxx Bug Bounty From Facebook

I am a complete beginner & learner seeking for a way to get into bug bounties. I’ve been familiar with bug bounties for over 1 year but I couldn’t get any bounties from my reports. Most of my reports becomes closed as informative and duplicates only.

So after a lot of time and effort , I thought my aim in this lockdown is only to find valid bugs in Facebook . I reported 15 bugs to facebook initially but 7 of them were informative and rest of them(u do the math) were dupes. Then I found this bug ; Page Admin Disclosure.

How I was able to discover the flaw?

I was literally very sad on getting all the reports closed so I thought I’ll try sth new. I thought I’ll check once in the mbasic domain of facebook(m.facebook.com) . First I created a page , tried to check every functions available there. Then I saw sth unusual happening.
In the post options of the page , I saw the more option . When I clicked on the …More option. Though I was acting as Testing(the page) the post was uploaded by the page admin.

When the Page tries to post any other features like Photos&videos,check in ,etc then the post won’t be posted by the page. It would be posted by the admin. This bug denoted the disclosure of the admin .

The steps I sent to facebook were like this:

  1. Suppose USerA is admin of a Page . Go to m.facebook.com and login with UserA’s account.
    2. Now , Go to your Page menu.Select Acting as [Page_name]
    And post a text for example;”Hello World”

    3. The text is posted by the page .

    4 . Now Again Select Acting as [Page_name] option and try to post a photo or check in or
    click on more options.
    5. Then upload a photo or do checkin or more and Click on post
    6. Then the post will be posted by UserA though we selected the option of
    ‘Acting as [Page_name]’

And then I submitted the bug:

I waited a lot for the response from the Team as I was panicked to know about the results of my bug.

Timeline:

Report Submission : April 5 , 2020

Pre-triage : April 7 ,2020

Triaged : April 8 ,2020

Me panicking: April 16 , April 30 , 2020

Confirmation of Fix: May 4 , 2020

Panic attacks again: May22, May 28,2020

Finally the bounty awarded: May 30,2020

I don’t know how to explain my happiness about my first valid bug in my life to be in facebook . I was really very happy when I received the bounty notification. I was like

I still have a lot to learn and this motivated me to keep continuing the journey.

Thank you so much to everyone and special thanks to Ashok dai .

#facebookbugbounty

POC Link : https://drive.google.com/file/d/1QOUTXfBteinT9KIYaQ6zwEeNTMwa1v26/view?fbclid=IwAR13BaS45MmjvDRI48h6oDxEyyOXnuoi3iwfnzzXiSGtjGn06kQvpKf3CNg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store