[ Writeup — Bugbounty Facebook ] Disclosure the verified phone number in Checkpoint.
In the free night, I often spend time on reading the big tech companies ‘s requests.
On that day, while i was reading Facebook’ requests, my test account was received a checkpoint ( Verify phone number ).
After verifying my account, i just realized that i hadn’t turn off Burp Suite. When i had a look at requests again i saw these.
I could see my phone number in these requests. Should i send this case to Facebook?. Because I sent a lot of cases uploaded to triaged, but a few days later I received a notification that I was a latecomer.-_-.
However, if we can see what is not authorized, it is an error! So just report it.
20/8 — My report was sent.
23/8 — Facebook asked that would this case affect to users or interfere with Facebook’s infrastructure?
- I have nothing to say, because it’s so obvious.
23/8 — I reported this problem again with a detailed explanation.
26/8 — Facebook ‘s answer is NO! This is not a flaw, so you wouldn’t get any money from us.
- I’m fine. Ok, stop explaining.
05/9 : My name is ****, I work on the Facebook Security team. I just wanted to let you know that we are going to be investigating your report a bit further here: as such, we have reopened it.
Ok, you got your mistake.
05/9 — Ok!
14/10 — Confirmation of patch by Facebook
This must be my first bounty from Facebook. I hope your guys will find many bugs and don’t be discouraged.