Hi Everyone, sharing this write-up how I discovered reflected XSS on a random bug bounty program using mobile phone.

Every website has a redirect function where if a user logout or session terminated, it redirects to the login page. If we check the url, it contains parameters with value of the webpage deep link where the user will redirect after logged back in.

1. To know the parameter name or used for any redirects, just copy the url where required a user session.

https://www.redacted.com/settings

2. Logout and paste the URL above and it will require you to login first. You will notice that the URL looks like below.

https://www.redacted.com/login?url_redirect=https://www.redacted.com/settings

3. Change url_redirect value using below payload.

javascript:alert(1)

4. Final output

https://www.redacted.com/login?url_direct=javascript:alert(1)

In my case, this website used ref parameter. After it triggers I immediately report it to the security team and they respond within the same day.

Additional related info

• GitHub - payloadbox/xss-payload-list: 🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List
• What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy

How I managed to bypassed again the default visibility for newly-added email in Facebook. Here is the link of my first write-up related to issue:

Bypassing default visibility for newly-added email in Facebook(Part I - Submitting I.D)

Steps to reproduce:

1. Go to Facebook Settings > Password and Security > Setting up extra security and choose 3 trusted contacts.
2. Go to facebook.com/login/identify and find your Facebook account.
3. Click "No longer have access to these?" and provide valid email address.
4. Get all recovery code from your 3 trusted contacts and follow the instruction provided to create a successful recovery.
5. Check the visibility of new added email using own account or other account.

Timeline:

21 January 2022 - Initial Report
25 January 2022 - Provided some details
26 January 2022 - Triage
24 February 2022 - Fixed and awarded $xxx

This bug is first announced at Facebook Bug Bounty page where they called it Visibility Setting Bug and thanks to Saugat Pokharel for sharing his findings. First, the default visibility for newly-added contact in Facebook is always set to "Only Me". However through Facebook account recovery, I noticed that the email address that added to account is in unexpected privacy.

Steps to reproduce

1. Go to facebook.com/login/identify and find your Facebook account.
2. Click "No longer have access to these?" and choose "I cannot access my Email".
3. Enter a new email address and upload supported documents.
4. When you receive the email of Facebook about confirming your identity, login your account and check the visibility setting of the new added email address to your account.

In this case, Facebook Security added the new email address with visibility that set to "Friends".

This report got two requested review because they don’t consider it as valid. I tried to clarify my report until I received this reply.

So I understand why they don’t consider it as valid, But after 5 days I received this reply.

This is the link of my part II write-up related to this issue:

Bypassing default visibility for newly-added email in Facebook(Part II - Trusted Contacts)

To understand more this issue here’s the first security researcher write-up regarding to this issue:

A Facebook bug that exposes email/phone number to your friends

Timeline:

06 -SEP-2021 - Initial Report
08-SEP-2021 - Closed my report
08-SEP-2021 - Requested a review
10-SEP- 2021 - Closed my report
10-SEP- 2021 - Requested a review again
14-SEP-2021 - Closed my report again
19-SEP-2021 - Considered my report as eligible
05-OCT-2021 - Rewarded $x,xxx but fix is still pending
13-OCT-2021 - Fixed

I’m here again to share my 2nd and 3rd valid report. It’s all about page admin disclosure in Facebook Lite. In my Initial report, Facebook security team says its not valid because my Initial report is admin disclosure through reaction. When I create a post and click "View Post" then tried to react in my own post or in any random comment in my new post, my personal account reflected to who’s reacted instead of my page. Facebook security team clarify that anyone can react in any public post/comment so its hard to identify that its from the admin of the page.

After a few days I found a bug that related to my last report. With all the same procedure, the comment section can disclose admins personal account. Without any sign that you're interacting to your page as your profile, your personal account interact to the page. So I open my last report to discuss my concern and they easily identify what It is.

Steps to reproduce:

1. Create a post on a page using Facebook Lite
2. Instead of clicking "Close" click "View Post" and comment on anything.

When an admin clicks "View Post" they’re interacting to the page as followers so when they want to comment on something, their personal identity interacts with the page.

Timeline:

06 June 2021 : Initial report
09 June 2021 : Facebook security team says its not valid
12 June 2021 : Review Requested
16 June 2021 : Manage to reproduced and Triaged
24 June 2021 : Fixed
25 June 2021 : Rewarded $xxx

While waiting to fixed that report, I found again one interesting bug that could lead to admin disclosure. When a page admin taps any comment notification from the page using Facebook Lite, comments they make at that time would be posted with their personal identity. I wait to fix my current report before submitting a new report because they're currently working at this product. And after one week of waiting my report is fixed and I'm lucky that this bug is still exist. So I submit this as new report and it's triage in less than 24 hours. After 5 days they said that it's already fixed but I noticed that when a notification is direct to reply someone's comment, still personal profile of the admin interact to the page.

Steps to reproduce:

UserA = Page Admin
UserB = follower of the page
1. UserA create a post in page
2. UserB comment on that post
3. In Facebook Lite, UserA taps that comment notification from page.
4. UserA reply to UserB.

Timeline:

25 June 2021 : submit new report
25 June 2021 : Triaged
30 June 2021 : Fixed and Triaged (There’s some needed to fix)
20 July 2021 : Fixed
23 July 2021 : Rewarded $xxx

Sharing my story how I was rewarded $xxx from Facebook. I started hunting a bug this February 2021 when I see it to one member of group that he will be awarded by doing that things. But in actual hunting, I realized that It’s not easy like I think. I submit a reports in Bugcrowd and HackerOne but my reports is Informative and the one is duplicate. It’s not easy for beginners so I always reading write-ups and watching in Youtube. Until I read a write-ups of bug in Facebook and that’s it. For those who didn’t already know, Facebook can award you if you found a bug that may affects to Privacy of it’s user and award can be high if you will find a High risk bug.

Since I always deactivate my Facebook account and I always used only is the Messenger app, It brings me to my first bug bounty in Facebook. Through Facebook Messenger a deactivated Facebook account can able to send message to any Facebook user and Instagram user. In searching bugs in both application I found that if the Facebook is deactivated, Instagram user can't block it.

Title: Instagram User was Unable to Block deactivated Facebook account on cross-app communication

Steps to reproduce:

1. Deactivate your Facebook account and use Messenger application
2. Through Messenger send a message to any Instagram user except to Instagram account that connected to your Facebook account.
3. From Instagram app, you can send and receive a message from Deactivated Facebook account but you can’t block that Facebook account.

PoC link: https://youtu.be/et7yC6ENqRs

I have some tips for beginners or new to Facebook bug bounty program. This is based on my experienced.

1. Always update your application before you starts hunting.
2. If you know that you find a bug. Test it multiple times before doing a write-ups.
3. Always provide PoC even your bug is easy to reproduce.
4. Be nice to security team.

And last don't give up, I failed multiple times before I get my first bug bounty but I considered myself as lucky because 2 months in hunting bug and almost 1 month in Facebook bug bounty program is too soon for me to be awarded.

Edited:

Special thanks to Admin Rien/Rena of PHU IV and Pinoy Info Sec.

Timeline:

March 6, 2021 - Initial report
March 10, 2021 - Needs a PoC
March 11, 2021 - I sent PoC
March 17, 2021 - I conduct a test to different account and I sent again the 2nd PoC.
March 18, 2021 - Triaged
March 25, 2021 - Fixed
March 31, 2021 - Bounty awarded