It’s me Sandeep Giri again! This is my second valid bug for Facebook Bug Bounty Program. I was rewarded $500 by the Facebook responsible disclosure program. Below is the explanation:
When a user creates a room as part of a group event, the room remains in the group’s rooms list even after the event is deleted. And the group admin cannot delete the room.
I am Sndp Giri, a Cyber Security student at the University Of Tasmania. I am excited to share my first valid bug finding on Facebook. In this short write-up, I will share with you how I approached this bug, what were the mistakes that I made, and what I learned overall.
The first question that arises to my mind was the Facebook username endpoint, www.facebook.com/username. I started thinking what if I could change the username to something that might be the actual URL path to some existing services or feature Facebook is using. For example www.business.facebook.com/overview. Changing the…