Facebook Bug bounty Story: $X000 for an Information Disclosure Bug

Circle Ninja
Dec 29, 2019 · 2 min read

Around last year, I reported a valid security bug in Facebook but didn’t know how to explain the impact of the issue. Even after finding the bug, I couldn’t figure out the attack scenario / or what the security team would accept! Some weeks later, I find that FB rewarded Sarmad Hassan (jubabaghdad) with $3k . (https://bugreader.com/jubabaghdad@disclose-thumbnail-of-any-video-in-facebook-workplace-87)

Kudos to him. :)

Then Bountycon happened. Very grateful for the team to invite me. Never expected. Met and saw some great security researchers :P !

Revived my interest to hunt bugs on Facebook to give a “return gift

Bug-

My friend had started a Facebook page to post funny videos.

One video was very funny. I knew his fb id and also that he is the admin of the page.

Example admin id- xxxx

While viewing a video, I simply right clicked, View Page Source, searched xxxx.

Boom! One result found.

The page source was leaking the id of the person who was the content owner.

Impact-

Fb Page Admin, editor... Disclosure

Attacker can view page source from the video section of the Facebook page and find the users with page roles. ( If editor had uploaded the video, it will leak his/her fb id. )

This was fixed within < day. Nice Reward!


I think this maybe the most easiest of security bugs found ever on Facebook which maybe be exploited at large scale without any proxy or advanced steps.

This bug was found sub consciously. I never was hunting for any security issue. So always be humble, honest and grateful!

I would like to thank @phwd, Max Pasqua, Sarmad Hassan, Kassem Bazzoun ,Richard Cao and others for the inspiration of this writeup. There are only a few people who do writeups and I respect them !

Connect with me on Twitter: https://twitter.com/CircleNinja and join me to write your hacking story on this Not for Profit publication !

Bug Bounty Hunting

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!

Circle Ninja

Written by

Wannabe Security JCB | BTech CSE Student from India

Bug Bounty Hunting

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade