Facebook Bug bounty Story: $X000 for an Information Disclosure Bug
Around last year, I reported a valid security bug in Facebook but didn’t know how to explain the impact of the issue. Even after finding the bug, I couldn’t figure out the attack scenario / or what the security team would accept! Some weeks later, I find that FB rewarded Sarmad Hassan (jubabaghdad) with $3k . (https://bugreader.com/jubabaghdad@disclose-thumbnail-of-any-video-in-facebook-workplace-87)
Kudos to him. :)
Then Bountycon happened. Very grateful for the team to invite me. Never expected. Met and saw some great security researchers :P !
Revived my interest to hunt bugs on Facebook to give a “return gift”
Bug-
My friend had started a Facebook page to post funny videos.
One video was very funny. I knew his fb id and also that he is the admin of the page.
Example admin id- xxxx
While viewing a video, I simply right clicked, View Page Source, searched xxxx.
Boom! One result found.
The page source was leaking the id of the person who was the content owner.
Impact-
Fb Page Admin, editor... Disclosure
Attacker can view page source from the video section of the Facebook page and find the users with page roles. ( If editor had uploaded the video, it will leak his/her fb id. )
This was fixed within < day. Nice Reward!
I think this maybe the most easiest of security bugs found ever on Facebook which maybe be exploited at large scale without any proxy or advanced steps.
This bug was found sub consciously. I never was hunting for any security issue. So always be humble, honest and grateful!
I would like to thank @phwd, Max Pasqua, Sarmad Hassan, Kassem Bazzoun ,Richard Cao and others for the inspiration of this writeup. There are only a few people who do writeups and I respect them !
Connect with me on Twitter: https://twitter.com/CircleNinja and join me to write your hacking story on this Not for Profit publication !
