[ Writeup — Bugbounty Facebook ] Disclosure the verified phone number in Checkpoint.

TienDat
TienDat
Oct 15 · 2 min read

In the free night, I often spend time on reading the big tech companies ‘s requests.

On that day, while i was reading Facebook’ requests, my test account was received a checkpoint ( Verify phone number ).

After verifying my account, i just realized that i hadn’t turn off Burp Suite. When i had a look at requests again i saw these.

I could see my phone number in these requests. Should i send this case to Facebook?. Because I sent a lot of cases uploaded to triaged, but a few days later I received a notification that I was a latecomer.-_-.

However, if we can see what is not authorized, it is an error! So just report it.

20/8 — My report was sent.

23/8 — Facebook asked that would this case affect to users or interfere with Facebook’s infrastructure?

- I have nothing to say, because it’s so obvious.

23/8 — I reported this problem again with a detailed explanation.

26/8 — Facebook ‘s answer is NO! This is not a flaw, so you wouldn’t get any money from us.

- I’m fine. Ok, stop explaining.

05/9 : My name is ****, I work on the Facebook Security team. I just wanted to let you know that we are going to be investigating your report a bit further here: as such, we have reopened it.

Ok, you got your mistake.

05/9 — Ok!

14/10 — Confirmation of patch by Facebook

This must be my first bounty from Facebook. I hope your guys will find many bugs and don’t be discouraged.


F: https://www.facebook.com/datphammmmm

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade