How I found a simple bug in Facebook without any Test

Hello Community, today I would like to talk about my easiest bug in Facebook and how I found it without any Test, so let’s jump in :)

In Aug 28, 2018, I was checking my News feed and suddenly I got this weird notification, see the below image:

It’s just a notification for an event for a closed group which was deleted

Why this notification is weird to me! o.k. let me explain to you:

  • The notification for the above event is related to a closed group.
  • I was an ex-member (Left the group) in that closed group, which means I can’t access to the group and can’t see the group contents.
  • So why the hell I got this notification from that group while I’m not a member in it anymore!!!
yeaaah :)

Within seconds I knew it’s a security bug see this link , at the same time some ideas came to my mind as below:

  • what about blocked users!!??
  • What if the event name changed and got deleted. is it possible to see the last update of event’s name!!?? after users got blocked or who left group!!??

After playing with my Test closed group I noticed below things:

1- Blocked users and users who left the group can receive notification with last updated name of event.

2- It work in all kind of events (Accounts, pages, even workplace) not just in closed group.

I reported this directly to Facebook Security Team and they accepted it as valid bug, Thank you guys for the bounty :)

To the admin of IQDevs group, who ever you are, thank you for deleting that event because of you I found this bug ;)

Timeline:
Aug. 28, 2018 — Initial Report
Aug. 31, 2018 — Report Triaged
Dec. 19, 2018 — Bounty awarded
Jan. 31, 2019 — Bug Fixed
Jan. 31, 2019– Fixed confirmed

PoC Video:

Takeways:

1- Sometimes you don’t need Tools or F12 to find valid bugs :)

Thank you

Sarmad Hassan (JubaBaghdad)