Hello all,

It’s me Sandeep Giri again! This is my second valid bug for Facebook Bug Bounty Program. I was rewarded $500 by the Facebook responsible disclosure program. Below is the explanation:

When a user creates a room as part of a group event, the room remains in the group’s rooms list even after the event is deleted. And the group admin cannot delete the room.

Reproduction Steps:

Hello Readers,

I am Sndp Giri, a Cyber Security student at the University Of Tasmania. I am excited to share my first valid bug finding on Facebook. In this short write-up, I will share with you how I approached this bug, what were the mistakes that I made, and what I learned overall.

The first question that arises to my mind was the Facebook username endpoint, www.facebook.com/username. I started thinking what if I could change the username to something that might be the actual URL path to some existing services or feature Facebook is using. For example www.business.facebook.com/overview. Changing the…

Sndp Giri

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store