Simple logical Bug turned into a bounty

Sndp Giri
1 min readMay 10, 2021

--

Hello all,

It’s me Sandeep Giri again! This is my second valid bug for Facebook Bug Bounty Program. I was rewarded $500 by the Facebook responsible disclosure program. Below is the explanation:

When a user creates a room as part of a group event, the room remains in the group’s rooms list even after the event is deleted. And the group admin cannot delete the room.

Reproduction Steps:

  1. A user creates an event with the option Online Video chat with the messenger.
  2. From the admin’s account, the admin deletes the event.
  3. Now, when the admin visits the room tab, the room remains undeleted. The admin doesn’t have any option to delete the room.

Impact

As an admin, she cannot join the room as the button would be disabled unless she has the link to the room. The attacker can invite group members and do a malicious activity or harass the group members.

Bounty Decision by Facebook

Thanks

Happy Learning :)

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

No responses yet