Facebook bug Bounty -Finding the hidden members of the private events.

VIVEK P S
VIVEK P S
Dec 19, 2020 · 2 min read

Hi All,

I am Vivek. This is about a bug that I found in the Facebook private events. I reported almost 7 issues in the month of January and February this year but all the reports were closed as either informative or duplicate. So after reading some write-ups I decided to check the Facebook events and luckily I was able to find some logical issues in that area.

Facebook events have an option to hide the members list to protect the user privacy. I tried different cases and monitored many web requests to check if there is an endpoint that is leaking the members information. Logical bugs are all about observing and thinking out of box. I remembered that when a member is not present in a Facebook group and if we share their profile URL as a comment or post inside that group, Facebook will show the link with a CSS class named ‘WeakReference’ to inform the members that the specific user is not a member of that group.

The grayed text indicates that the user is not a member in that group
The grayed text indicates that the user is not a member in that group

I tried the same in the private event too and found the similar behavior. So even if the member list is hidden, an attacker is able to find if someone is a member of the event by just sharing the victim’s profile in any comment or as a new post. I reported it to the security team immediately.

Facebook rewarded me for finding this logical issue.

Image for post
Image for post

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

VIVEK P S

Written by

VIVEK P S

Software developer, Bug hunter

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

VIVEK P S

Written by

VIVEK P S

Software developer, Bug hunter

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store