I was actually willing to see my name in this Page of the year 2022.
I thought I would miss but anyway I made it at the end of the year by finding this interesting security Bug.
So, this bug is found in the Facebook Commerce Page.
First, The Page admin creates an Order in the Page Inbox to a user and that sends the order to the User.
The Paid checkbox can only be seen ticked when the Admin Marks the Order as paid and the User has no way to hack it.
The user can mark only Received but he cannot mark Paid or Dispatched, only the Page admin has the access to do it.
I observed in the variable parameter in the message body has mark_as_received. What if I replace the received with paid.
BOOM ! The order is marked as paid in the Page Admin's Inbox
Timeline:
October, 2022: I actaully bought a new Monitor and in a few days I found a bug. I've been trying to find bugs since the start of the year
October, 2022: Marked as Duplicate and been told that FB Security team would follow up (I didn't trust this as I received these a few times)
February, 2023:
I received replies like Meta would reopen the reports but I didn't trust this. But this message from them brought a hope that I would make money and gained trust.
I sent them a POC video on this bug
March 28, 2023: Received a message to see I could still replicate the bug (FB is so generours)
April 22, 2023: Received a bounty $$$$ and then added into 2022 Thanks list.
Takeaway from this Post :
The thought of getting into the Thanks list is more powerful than the thought of making money
Comments
Post a Comment