Skip to main content

Facebook Bug Bounty : A normal user can mark his Order as Paid

I was actually willing to see my name in this Page of the year 2022.

 I thought I would miss but anyway I made it at the end of the year by finding this interesting security Bug.

So, this bug is found in the Facebook Commerce Page. 

First, The Page admin creates an Order in the Page Inbox to a user and that sends the order to the User. 

 

The Paid checkbox can only be seen ticked when the Admin Marks the Order as paid and the User has no way to hack it.

The user can mark only Received but he cannot mark Paid or Dispatched, only the Page admin has the access to do it.

So after the admin has maked the order as paid the user will get the option to Mark the order as Received or Dispatched, The HTTP Request while marking the order as RECEVIED would be


 I observed in the variable parameter in the message body has mark_as_received. What if I replace the received with paid.

I created a new order and did that

BOOM ! The order is marked as paid in the Page Admin's Inbox

Timeline:

October, 2022: I actaully bought a new Monitor and in a few days I found a bug. I've been trying to find bugs since the start of  the year 

October, 2022: Marked as Duplicate and been told that FB Security team would follow up (I didn't trust this as I received these a few times)

February, 2023: 

I received replies like Meta would reopen the reports but I didn't trust this. But this message from them brought a hope that I would make money and gained trust.

I sent them a POC video on this bug

March 28, 2023: Received a message to see I could still replicate the bug (FB is so generours)

April 22, 2023: Received a bounty $$$$ and then added into 2022 Thanks list.

Takeaway from this Post :

The thought of getting into the Thanks list is more powerful than the thought of making money

Comments

Popular posts from this blog

Facebook Bug Bounty $$$$ : Crossposting Live Videos | Facebook Live

In the Facebook Page Settings, you could setup the option for Crossposting Live videos from other pages.  The Attacker's page adds a Page (Victim's Page) for crossposting their videos Victim Page's Admin accepts the approval and the default option is Crossposting videos without further approval The Attacker starts live video and selects Victim's Page in the "Crosspost to more pages" Victim visits the Crossposting page in the Page settings and and removes Attacker's Page Attacker selects "Use camera" and clicks on "Go Live". The Victim's Page starts automatically crossposting the live video of Attacker,  Bug Bounty of $500

$1337 YouTube Community (Posts) bug

YouTube Community  is a feature that is only available for Channels with  1. Verified Phone numbers 2.  A significant history, more content for years. In the early June I started hunting for Security flaws on YouTube I was roaming around the features but most of the places have been found secure or already potential features had the bugs fixes in place. The Community Tab is now Posts So, I thought to exploit Youtube Community feature. I was trying to delete the Posts using IDOR attacks but it didn't work I was tired of trying various attacks but thought to compromise to the least "Privilege escalation".  The Security flaw... A user (victim) created a YT Community post, later an attacker while being an Admin of the same Channel has saved the HTTP Request that deletes a Community Post / Poll, then the attacker can replay that HTTP Request after he's demoted from Admin to Subtitle Editor  that would delete the Post / Poll. I exploited this flaw I tried after 15 ...

Google form setting Bypass - Making my way to the Google's Hall of Fame !

  G o o g l e ! Bug : Circumventing "Limit to 1 response" of  Google forms  ( Parameter Injection )        Discovered on: 30th, November 2016.            Research Time: 2:00 p.m to 9:30 p.m. Earn more by display ads on blog with  Lithific Ads The setting is "Limit to 1 response" which means only one response per user. Once you filled the form there will be no chance to edit the responses or again fill a new form. If you open the form to fill again, the response would be like the image below. There is no way to edit or fill another form (Hurdle 1). I created a test form and checked "Edit after submit". Once this test form is filled I can change the previous response.  I clicked on the "Edit your  response"and intercepted the request.  I changed the form id and forwarded the request. I was able to see the form that was submitted. When I edited the form and submitted, a blank form ...