Simple logical Bug turned into a bounty

Hello all,

It’s me Sandeep Giri again! This is my second valid bug for Facebook Bug Bounty Program. I was rewarded $500 by the Facebook responsible disclosure program. Below is the explanation:

When a user creates a room as part of a group event, the room remains in the group’s rooms list even after the event is deleted. And the group admin cannot delete the room.

Reproduction Steps:

  1. A user creates an event with the option Online Video chat with the messenger.
  2. From the admin’s account, the admin deletes the event.
  3. Now, when the admin visits the room tab, the room remains undeleted. The admin doesn’t have any option to delete the room.

Impact

As an admin, she cannot join the room as the button would be disabled unless she has the link to the room. The attacker can invite group members and do a malicious activity or harass the group members.

Bounty Decision by Facebook

Thanks

Happy Learning :)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store