Facebook Bug bounty page admin disclose bug {Facebook Android app}

Yusuf
Yusuf
Jul 12, 2019 · 1 min read
Image for post
Image for post

Hello community! my name is Yusuf Aydın

I found a vulnerability on 1 july 2019

I tried this steps:

  1. Create an event from a page [facebook android Mobile app]
  2. Add another account (be sure he/she is not admin of the page) as a co-host in the event.

3. Open another account and click the notification about the co-host.

4.You will see the name of the admin that has added you as a co-host like this

5.two notifications come at the same time and explain the admin of this page.

Image for post
Image for post

PoC Video:

https://youtu.be/HdZb0t8BysM

Timeline:
jul. 1, 2019 — Report sent
jul. 4, 2019 — Report Triaged
jul. 8, 2019 — Issue Fixed
jul. 11, 2019— Bounty of $500 Awarded

Follow me on Twitter: https://twitter.com/h1_yusuf

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store