My First Bug Bounty at Facebook (Broken feature)
Hi guys, i’m Justin lee from Philippines. i’m newbie in bug bounty hunting i started in bug bounty hunting on March 2020 but i’m start in Web Pentesting end of December 2018. when im joining to the “Cyber world” only i want learn how to facebook XD that’s why im started to studying web hacking then i learned basic method of web hacking like (e.g SQLi,LFI,XSS, etc..) when i enjoyed the web hacking then i forgot what im really want (facebook hacking). so i enjoy and i try to learn web developing to understand how method and system works after a month of studying and focusing at web develping i tried to pentest my on website at the same time. then i started to joining group chat then one of the topic is “Bug Bounty Hunting” they notice that you can earn money from doing pentesting in legal way so i started to learn bug bounty hunting after searching from google i read writes up that campany paid $5000 from simple bug that i never know when doing pentesting the method is IDOR when i understand the logic of IDOR and impact and im inspired to bug hunting.
As Developer i nerver expect that this vulnerability has exist, all i know is XSS,SQLi,LFI so this really amazing and interested thing come in my mind and i’m super excited to learn somthing new. so thats why i started bug bounty hunting around 2nd week of march? i started hunting on hackerone but this not easy to what i expected but im not give up, after a month i got my first Bug bounty reward on September 2020 worth of $500 on private program.
i’m telling my story for inspire the newbies like me that almost gave up because they not found they first bug bounty :)
so i start joining facebook bbp after i understand what is bug hunting after reading some writes up on facebook
i submit my first bug on facebook close as N/A :< then after a month i read writes up of saugatpokharel the facebook was accept they report then i start finding same thing then i found but facebook team close Informative because my found is only bug (no security impact) then i asked facebook security why they accept the report of saugatpokharel but not my report, then they replied.
after reading this i undersand 100% what they accept and not. after a month i found again the same thing but again, i can’t see any security impact.
i found that i can’t use the privacy option of “friends; except:” and “spesific friends”
Note: Facebook Team will not pay for broken feature unless you demonstrate what is impact of the bug your decribe.
But i reported it because nothing to lose for me not like hackerone.
after a week the bug was not fix but i need to use that options but if i report it as “broken feature” im not getting bounty, after a day i remember that they said they accept “privacy issue” yeah this not security issue but this connected to privacy issue so i report it.
after a day they reply to my report that needs mo informations, they having having trouble for reproducing steps and they said test to updated FBLite
so i update my FBLite then i i test my account but also having trouble on my account the bug is seems fixed then i’m not reply to my report that time then when i back to my another account the bug is also working, this weird so i back again to my another account but the function was working properly so means the bug defends on account not on FBLite verions also i test this bug to another device and i confirm that the bug is defends on account so i add more informations such as user ID’s of affected of this Bug and also i test it on other facebook product’s like fb app,web, etc..
Note: be nice to facebook security team when you discribing bug even they so annoying some times, if you bilieve that you found security impact or privacy issue, explain it clearly depends what is impact of your report.
i can’t hack Facebook at least i achieve my goals, after hard working i found my first bug bounty at Facebook BBP XD
Thanks for Reading my writes up!!!
Timeline Review:
- Dec 9, 2020 (Initial Report)
- Dec 11, 2020 (Needs more information)
- Dec 13, 2020 (sent more information)
- Dec 15, 2020 (Triaged)
- Jan 5, 2021(Bounty Awarded)