Bypassing Brand Collabs Manager Eligibility on Facebook

Ajay Gautam
Dec 26, 2019 · 3 min read

In this week’s blog, I am writing about how I was able to bypass the eligibility criteria for the Brand Collabs Manager and register my page without meeting the criteria and policy. I wasn’t awarded any bounty for this as Facebook’s production team deemed it unqualified for monetary reward.

If you are not familiar with what Brand Collabs Manager is on Facebook, it is the monetization of Facebook videos where brands can reach to their creators for branded content partnerships.

To be eligible to register in brand collabs one needs to meet the following conditions-

  • Your Facebook page must have a minimum of 1,000 followers.
  • In 60 days, your posts must have reached 15000 engagement.
  • In 60 days, your videos must have 180,000 minutes views.
  • In the last 60 days, your page must have 30,000 views along with a minimum of one minute watch time for videos over 3 minutes long.

Let me take you through what I found -

When I went to the Brand Collabs Manager application form, I saw that I am was not eligible to apply for the brand collabs manager as Nassec.io as my page didn’t meet the above-mentioned criteria.

However, I tried registering Nassec.io in the brand collabs manager by changing the response status from ineligible to eligible as shown below.

https://www.facebook.com/creator_onboarding/?creator_monetization_product=brand_collab_manager&entrypoint=from_landing_page

This was the response of the request to collect information about all the pages. Here, I changed “eligibilityBucket”:” ineligible” to “eligibilityBucket”:” eligible” and I saw that it was eligible for registering in brand collabs manager.

Once I changed the status to “eligible”, I was granted access to sign-up form for the brand collabs manager. I filled the sign-up form and got a successful message as shown below.

It went for manual verification with the Facebook team and for a moment, I thought my request will be rejected.

However, after waiting for a few minutes I got an mail from Brand Collabs Manager saying that my application was approved.

I sent a report to the Facebook team including a Proof of Concept (POC). Facebook’s security team triaged the report and got back to me a day later with the following message.

Video POC

Timeline

Reported — October 23, 2019

Reproduced — October 28, 2019

Triaged — October 29, 2019

Rejected — November 13, 2019

Though I was not awarded any bounty for this find, it did help me enhance my bounty skills. Bug Bounty is not always about finding bugs and earning money. So don’t get disappointed even if you are not awarded bounty at times and keep continuing bug bounty.

nassec

Writeups related to cybersecurity by Nassec contributors.

Ajay Gautam

Written by

Head of Security at NASSec

nassec

nassec

Writeups related to cybersecurity by Nassec contributors.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade