Facebook Bug bounty page admin disclose bug {Facebook Android app}

Yusuf
Yusuf
Jul 12 · 1 min read

Hello community! my name is Yusuf Aydın

I found a vulnerability on 1 july 2019

I tried this steps:

  1. Create an event from a page [facebook android Mobile app]
  2. Add another account (be sure he/she is not admin of the page) as a co-host in the event.

3. Open another account and click the notification about the co-host.

4.You will see the name of the admin that has added you as a co-host like this

5.two notifications come at the same time and explain the admin of this page.

PoC Video:

https://youtu.be/HdZb0t8BysM

Timeline:
jul. 1, 2019 — Report sent
jul. 4, 2019 — Report Triaged
jul. 8, 2019 — Issue Fixed
jul. 11, 2019— Bounty of $500 Awarded

Follow me on Twitter: https://twitter.com/h1_yusuf

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade