Page Admin Disclosure: Facebook Bug Bounty 2020

Hello everyone ! I am Saugat Pokharel from Kathmandu, Nepal. Today I am going to write-up on how I managed to receive my 3rd bug bounty from Facebook.

I received my first bug bounty from Facebook 10 months ago after I accidentally discovered a major privacy issue on Facebook. Since then, I always look for security issues while browsing Facebook.

On March 24, Tuesday evening, I found another privacy issue on Facebook which earned me another bug bounty from Facebook. The recent outbreak of the Global Pandemic COVID-19 Coronavirus was a very hot sensation in the entire world. Nepal government had declared Nationwide Lockdown as the number of cases was accelerating at a very high speed on a global scale. I had nothing to do, just staying inside the home, browsing the Internet and learning things or whatever. I was very bored.

I own a few Facebook pages with pretty good followers and user engagements. So, I began to provide some updates regarding the Coronavirus on those pages. There were so many questions in the comment section of the page. I replied to some of them. While replying with photos through Facebook Lite on the comment section, my comment got published through my personal profile instead of the page profile. I believed that this was a straight Page admin Disclosure. So, I reported the issue immediately to Facebook as follows.

Description:

Today I was browsing my Facebook page through Facebook lite. I posted some information related to corona and I was replying to some of the queries in the comment section. I found that when I reply with a photo, the reply is always posted through my personal profile.

Impact:
This would lead to a serious privacy concern as the page admin is disclosed.

Setup:
Vivo 1606 (Y53) Android 6.0 Based on FunTouch OS

I also included a video link demonstrating the issue which is given below.

Video link: https://youtu.be/DwFrBls8V64

I got the following reply from Facebook on the same day.

Hi Saugat,

Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you updated on our progress.

Thanks,

Joel
Security

I could not reproduce the issue after 5–6 hours of sending the report. So, I believed that fixed was pushed very quickly.

On April 1, 2020, I got the following message from Facebook.

Hi Saugat,

We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not resolve this issue. We will follow up regarding any bounty decisions soon.

Thanks,

Joel
Security

I replied that the issue has been patched.

And on April 2, Thursday evening, I got the message from Facebook which was about the bounty decision.

In this way, with a very simple bug, I was able to list my name on Facebook Hall of Fame 2020 Page.

Thank you for reading my article. I cannot forget Ajay Gautam and Binit Ghimire for motivating me in the journey of Facebook Bug Bounty.

Thank you for taking the time to read my article. Have a great day!

You can follow me on Facebook or Twitter if you would like to stay connected with me.

Independent Cybersecurity Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store