This writeup is about an easy catch in Facebook Lite that led me to win a bug bounty from Facebook unexpectedly for the first time. So, I am Samip Aryal from Nepal; you can consider a newbie for now specifically in this bug bounty field, however till now; I have already made about 39 reports to Facebook. And this one is the 26th report which made it till the destination for the first time. Most of my previous reports were closed as Informative (Most of them got closed off edge of bounty), some Duplicates and a few N/A too (With; Bugs that occured only in my end due to some account problems or misunderstanding and UI bug reports that were made in the Initial phase just for fun/test/ or perhaps due to incognisance)
So, Let me move to this bug. There’s a separate Newsfeed for pages to interact with other pages and their posts independently. Pages could get an option previously to access it directly from the web but now it can be accessed only through the URL ‘https://www.facebook.com/pageusername/news_feed’. However, moving to mobile; Pages still get a separate news_feed section in the top bar or from the ‘more’ option inside the page in Facebook Lite and Facebook app (rarely) too.
Now, At first, I began to look for admin disclosure vulnerability in the page news_feed on the Facebook app. Everything went smooth, I couldn’t find anything suspicious. But then I remembered Facebook Lite and start testing the same section there. After some instances; when I opened a photo from any one of the posts in the page news_feed and then commented in the post; then suddenly the comment went from the admin’s personal account instead of the page. (However, when commenting just from the outer interface without opening the media, the comment goes from the page itself). This vulnerability was practically most effective with the posts containing multiple media (photos/videos) where pages can view the photos/videos one by one by clicking on it and then when they commented back, it used to go from Admin’s account. So, without any hesitation, I immediately reported it to Facebook with a POC video.
After several conversations, they replied claiming it to be fixed but it wasn’t properly fixed for the first time. I informed them about the remains. After some days, they rewarded me the bounty before a complete fix. So, they refrained me from disclosing any details of the report before it was fully resolved. Now, as the bug is patched already; here I am disclosing it.
Timeline
Reported — Sunday, July 12, 2020
Pre-Triaged — Thursday, July 16, 2020
Triaged — Friday, 17 July 2020
Fix claim from their side — Saturday, 25 July 2020
Informed about incomplete fix— Saturday, 25 July 2020
Reply of Acknowledgement — Wednesday, 5 August 2020
Asked for an update — Sunday, 16 August 2020
Informed about the ongoing process — Wednesday, 19 August 2020
Bounty Rewarded without the fix — Friday, 28 August 2020
Refrained additionally for non-disclosure — Friday, 28 August 2020
Agreed, thanked & requested to update the hall-of-fame page — Friday, 28 August 2020
Listed in the Facebook hall of fame — Wednesday, 2 September 2020
Asked permission to disclose the bug as it got completely fixed — Monday, 28 September 2020
Permission granted with a final patch message — Wednesday, 7 October 2020
Thank you for reading this writeup about the simple vulnerability. If you have any suggestions/queries, I’m available on Facebook/ Instagram :)