It’s me Sandeep Giri again! This is my second valid bug for Facebook Bug Bounty Program. I was rewarded $500 by the Facebook responsible disclosure program. Below is the explanation:
When a user creates a room as part of a group event, the room remains in the group’s rooms list even after the event is deleted. And the group admin cannot delete the room.
- A user creates an event with the option Online Video chat with the messenger.
- From the admin’s account, the admin deletes the event.
- Now, when the admin visits the room tab, the room remains undeleted. The admin doesn’t have any option to delete the room.
As an admin, she cannot join the room as the button would be disabled unless she has the link to the room. The attacker can invite group members and do a malicious activity or harass the group members.
Happy Learning :)