Facebook Bug bounty Story: $X000 for an Information Disclosure Bug

Circle Ninja
Dec 29, 2019 · 2 min read
Image for post
Image for post

Around last year, I reported a valid security bug in Facebook but didn’t know how to explain the impact of the issue. Even after finding the bug, I couldn’t figure out the attack scenario / or what the security team would accept! Some weeks later, I find that FB rewarded Sarmad Hassan (jubabaghdad) with $3k . (https://bugreader.com/jubabaghdad@disclose-thumbnail-of-any-video-in-facebook-workplace-87)

Kudos to him. :)

Then Bountycon happened. Very grateful for the team to invite me. Never expected. Met and saw some great security researchers :P !

Revived my interest to hunt bugs on Facebook to give a “return gift

Bug-

My friend had started a Facebook page to post funny videos.

One video was very funny. I knew his fb id and also that he is the admin of the page.

Example admin id- xxxx

While viewing a video, I simply right clicked, View Page Source, searched xxxx.

Boom! One result found.

The page source was leaking the id of the person who was the content owner.

Image for post
Image for post

Impact-

Attacker can view page source from the video section of the Facebook page and find the users with page roles. ( If editor had uploaded the video, it will leak his/her fb id. )

This was fixed within < day. Nice Reward!

I think this maybe the most easiest of security bugs found ever on Facebook which maybe be exploited at large scale without any proxy or advanced steps.

This bug was found sub consciously. I never was hunting for any security issue. So always be humble, honest and grateful!

I would like to thank @phwd, Max Pasqua, Sarmad Hassan, Kassem Bazzoun ,Richard Cao and others for the inspiration of this writeup. There are only a few people who do writeups and I respect them !

Connect with me on Twitter: https://twitter.com/CircleNinja and join me to write your hacking story on this Not for Profit publication !

Bug Bounty Hunting

Learn bug bounty hunting and other hacking tips from bug…

Circle Ninja

Written by

Software Security Engineer| CyberPunk

Bug Bounty Hunting

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!

Circle Ninja

Written by

Software Security Engineer| CyberPunk

Bug Bounty Hunting

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store