How I found a simple bug in Facebook without any Test

Hello Community, today I would like to talk about my easiest bug in Facebook and how I found it without any Test, so let’s jump in :)

In Aug 28, 2018, I was checking my News feed and suddenly I got this weird notification, see the below image:

It’s just a notification for an event for a closed group which was deleted

Why this notification is weird to me! o.k. let me explain to you:

  • The notification for the above event is related to a closed group.
  • I was an ex-member (Left the group) in that closed group, which means I can’t access to the group and can’t see the group contents.
  • So why the hell I got this notification from that group while I’m not a member in it anymore!!!
yeaaah :)

Within seconds I knew it’s a security bug see this link , at the same time some ideas came to my mind as below:

  • what about blocked users!!??
  • What if the event name changed and got deleted. is it possible to see the last update of event’s name!!?? after users got blocked or who left group!!??

After playing with my Test closed group I noticed below things:

1- Blocked users and users who left the group can receive notification with last updated name of event.

2- It work in all kind of events (Accounts, pages, even workplace) not just in closed group.

I reported this directly to Facebook Security Team and they accepted it as valid bug, Thank you guys for the bounty :)

To the admin of IQDevs group, who ever you are, thank you for deleting that event because of you I found this bug ;)

Timeline:
Aug. 28, 2018 — Initial Report
Aug. 31, 2018 — Report Triaged
Dec. 19, 2018 — Bounty awarded
Jan. 31, 2019 — Bug Fixed
Jan. 31, 2019– Fixed confirmed

PoC Video:

Takeways:

1- Sometimes you don’t need Tools or F12 to find valid bugs :)

Thank you

Sarmad Hassan (JubaBaghdad)

InfoSec Write-ups

Sarmad Hassan (Juba Baghdad)

Written by

We work in the darkness, but serve the light

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Sarmad Hassan (Juba Baghdad)

Written by

We work in the darkness, but serve the light

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store