Sunday 2 February 2014
0 comments

Indian Security Researcher Got Bounty For Facebook Logical Comment Bug

Indian Security Researcher Manjesh S. Got Bounty For Found Facebook Logical Comment Bug. Manjesh shared with us that how he found the Bug in Logical Comment.

Facebook Logical comment bug
[#] Title:  Logical comment bug on facebook group.
[#] Worth: $500 USD
[#] Status: Fixed
[#] Severity: Low
[#] Author: Manjesh S
[#] Twitter: @Manjesh24

Description:
We can make others comments unremovable on a OPEN group using this bug - its a privacy issue.


Sample example: Assume that someone posted on a OPEN group as :
"Facebook magic!! Comment your email and password here, your email and pass will change automatically to ****@****.com and ********* , Try it now"

Whenever some person sees this post he thinks that it is a new feature from  fb, and will plans to try it, also plans to delete the comment after trying it..

So when a user comments on this post with the email and password we can make this comment unremovable, What happens here is , user primary email and password is publicly viewable and user cannot remove his own comment forever.. Any group members and non group members can view the comments ..


User will never be able to delete his own comment..

Steps to Reproduce:

  1. User need to comment on others post on a OPEN group Admin have to remove the user from the group
  2. Facebook was aware of this privacy issue hence a DELETE option was available to our comment when removed.
But that option was not working :D
When we click on delete, it was showing some error and the the comment was not deleted. 





But this bug was rejected as:
"This is intentional behavior in our product. We do not consider it a security vulnerability."


I didn't mentioned that I was trying it on OPEN group so it was rejected .
As of https://www.facebook.com/help/www/220336891328465 this bug is valid when we consider OPEN group only..

I had some proofs to prove that this is not a intentional behavior, I sent them some proofs + example and the bug was accepted :)



HOC team congrats to Manjesh S. for got $500 bounty by Facebook Bug Bounty program.

About the Author:
Manjesh S,  Engineer Student & Security researcher from India found facebook bug.

0 comments:

Post a Comment

Note: only a member of this blog may post a comment.

 
Toggle Footer
Top