Facebook Groups Hack

In 2015, I reported to Facebook that it is possible to deactivate another user’s account through “Account Recovery Form”. This can be accomplished if the account has registered a phone number. Facebook allows users to submit form if they need help to recover account. However, that form was only available for the users who registered their Facebook ID with phone numbers.

I reported that due to account deactivation, a user can lose certain activity on an account.

I got reply from Facebook security member Annalise, that said,

“Locking accounts is intended in some scenarios to
protect users from attack. Thank you for sharing this information with
us. Although this issue does not qualify as a part of our bounty
program we appreciate your report. We will follow up with you on any
security bugs or with any further questions we may have.”

Same year, another researcher reported that, if a group has one admin and the admin account is deactivated, any member can become an admin of this group. Facebook rejected that bug and said,

“On the deactivation page, we warn users that due to account deactivation they will lose the groups”

So, in 2016 I merged these 2 rejected report(s) and sent it to Facebook that due to account deactivation by attacker, victim will lose all the groups.

Here is the POC video.

They accepted and I got a bounty from Facebook. :)

Like what you read? Give Zahid Ali a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.