Facebook Account Recovery Form (CONFLICTING)

I started my bug hunting journey in may 2015. I already published my
writeups before about bugs i found in Facebook. This is my first bug i
found in Facebook in may 2015.
I heard about bug bounty Programs that how these companies inviting
hackers to see bugs inside their system and they are paying them
bounties for that.
 So i decided to test social media giant “FACEBOOK” first to see whats
happening inside facebook. I watched couple of videos uploaded by bug
hunters and their writeups. But frankly it is very hard to understand
how and where to start first.
Before hunting bugs i always check password recovery area’s for
different account :D so i decided to check these area’s and searching
account recovery forms. I got one so i tested for “XSS” but failed. I
tried to ask google and got so many links where people discussed that
it is very difficult to find “xSS” in Facebook. So i just forgot about
the “XSS” and tried to find something else.
After a few tests i figured it out that form is conflicting.

Description and Impact:
If “Attacker” submit a form for specific id and if “Victim” do the
same then first form submitted by “Attacker” will remove from Facebook
Dashboard and “Victim’s” Submitted Form will appear in the dashboard.
But in the email attacker will get a link of victim’s form and with
the help of that link “Attacker” was able to see the conversation
between “Victim” and Facebook Admin.

Reproduction steps:

  1. Go to https://m.facebook.com
  2. Click on “Forgot Password”
  3. Enter Phone number or Facebook Username of Victim
  4. Click — ->>> (No longer have access to these?)
  5. Enter Recovery email twice
  6. Fill up the form with fake info and submit.

Screen shots of Reproduction steps of form submitting by (Attacker):

“Also Getting reply in Email”

Now form was successfuly submitted by attacker.

=======================================

Screen Shots of victim submitting Form:

Victim successfuly submitted form

=======================================

Attacker’s form deleted from support dashboard:

Now Attacker is getting reply in the email of victim’s form (Conversation between Admin and Victim):

That’s it :)

Facebook award me 1000USD for that bug and that was my first bounty i got from facebook in june 2015.

:)