2020-07-18

Hello readers,
In this article of Ask Buddie, I will be covering some of the logical flaws found by Nepali bug hunters in Facebook which will be helpful for beginner bug hunters to get started with their bug hunting journey and eventually getting their first bounty.
Most security problems are weaknesses in an application that result from a broken or missing security control (authentication, access control, input validation, etc). By contrast, business logic vulnerabilities are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.
You don't necessarily need to have in-depth knowledge about security in order to find a logic flaw in an application. Most of the times normal people find it but doesn't know that it might have security impact and needs to be reported.
Now lets explore some of the logic flaws found by Nepali Bug Bounty hunters in Facebook that might get you started in your bug hunting journey.
Found by : Baibhav Anand Jha
Summary : Instagram has a privacy setting allowing user to chose who can reply to your story.

Instagram story reply privacy settings
Exploiting this bug will allow anyone to reply to people's story even if the replies are disabled.
Steps for reproduction:
I was also able to bypass the fix which Facebook implemented for this bug and was able to get bounty again for the same bug.
Full article : https://medium.com/bugbountywriteup/bypassing-the-fix-of-my-previous-instagram-bug-49ece4ea7e1d
Found by : Saugat Pokharel
Summary : Replying with a photo comment via page in Facebook lite revealed page admin.
Steps for reproduction :
Full article : https://medium.com/nassec-cybersecurity-writeups/page-admin-disclosure-facebook-bug-bounty-2020-8a45cf911e24
Found by : Binit Ghimire
Summary : Facebook has a privacy feature using which people can chose who can reply to their posts. He was able to comment on live steams with privacy set to "Friends only".
Steps for reproduction:
Full article : https://askbuddie.com/blog/unauthorized-comments-on-facebook-live-stream/
Found by : Sudip Shah
Summary : Sending photo message as a page using Facebook Lite will sent via personal profile instead of being sent as page.
Steps for reproduction :
Full article : https://medium.com/@sudipshah_66336/the-story-of-my-first-4-digit-bounty-from-facebook-3a29830e03cd
Found by : Ashok Chapagai
Summary : Forwarding one of the pictures from a group of pictures from inbox in Facebook lite forwards all the picture instead of the one particular picture that someone intends to forward.
Steps for reproduction:
Full article : https://medium.com/@ashokcpg/non-technical-write-up-on-my-second-bounty-of-1-000-from-facebook-74daecd6879b
Found by : Jabir Khan
Summary: He was unable to revoke access for an application allowing application to continue having access to his data.
Steps for reproduction :
Full article : https://medium.com/nassec-cybersecurity-writeups/this-is-how-i-got-xxxx-from-facebook-for-instagram-bug-aaff50342246
Found by : Ajay Gautam
Summary : Adding non-admin as Co-host for a page event revealed the admin name in notification panel of the invitee.
Steps of reproduction :
Full article : https://medium.com/bugbountywriteup/page-admin-disclosure-facebook-bug-bounty-2019-ee9920e768eb
Lastly I would like to include this vulnerability of mine which I have never disclosed else where.
Found by : Baibhav Anand Jha
Summary : We were able to hide ourselves in the close friend list of Facebook avoiding victim to remove us and were able to view content that was shared with privacy "Close Friends Only".
Steps for reproduction :
Clicking the publish button in hopes that this article will help someone find his/her first logic flaw landing him/her their first bounty.
Like this article? Do follow me on Twitter @spongebhav
We use cookies to improve your experience on our website. By continuing to use this website, you agree to our use of cookies.