Skip to main content

Tales of Failed Bug Bounty reports for Facebook

The users that have been going into the year-wise White hat thanks list has significantly reduced if you check... You can find me four times in that list. There has been a check if it's an unlikely / rare scenario,  they just close the report and only say thanks for spending time.

Image generated using Microsoft's Copilot 

Bug 1: Auth Bypass: 

This is my first Auth Bypass and very excited to report and aiming a  $ 20,000 as reward. A very interesting bug as Auth Bypass always ranks at the Top in the OWASP.
I captured a vulnerable HTTP Request from https://business.facebook.com. It can be replayed any number of times for at most 2 hours, after the Victim has changed his password. 
The report is closed because of the time-out of the session. The attack has gone in vane. 

Bug 2: Disclosing if a user had been a member of Facebook group in the Past or has an active invitation. 

For this exploitation, the Attacker requires User ID and ID of target group. Since it's a tedious process to curate the group ID and checking the info against the User, the report not taken any further. 

Bug 3: Replying to the Instagram notes after the Victim has removed the Attacker as a follower. 

Because of the low risk and unlikely scenario, the Bug report is not taken any further.

Take aways for you guys: 

Hunting for bugs costs your self-confidence, energy, time. 

What do you say about learning ??? I don't think you learn anormous stuff because most of the attacks that you do differ from product to product and no change in the learning curve for the way of attacking (exploiting security flaws) products because not all products are build the same. 

I think doing a creative job like painting or music production or any other stuff, then making money out of it is much better as it has 0 chances of putting down or upset you. 

For people with no other option other than hunting bugs for a living or making extra bucks, then I've no comments, enjoy going through the roller-coster ride

Comments

Popular posts from this blog

Facebook Bug Bounty $$$$ : Crossposting Live Videos | Facebook Live

In the Facebook Page Settings, you could setup the option for Crossposting Live videos from other pages.  The Attacker's page adds a Page (Victim's Page) for crossposting their videos Victim Page's Admin accepts the approval and the default option is Crossposting videos without further approval The Attacker starts live video and selects Victim's Page in the "Crosspost to more pages" Victim visits the Crossposting page in the Page settings and and removes Attacker's Page Attacker selects "Use camera" and clicks on "Go Live". The Victim's Page starts automatically crossposting the live video of Attacker,  Bug Bounty of $500

$1337 YouTube Community (Posts) bug

YouTube Community  is a feature that is only available for Channels with  1. Verified Phone numbers 2.  A significant history, more content for years. In the early June I started hunting for Security flaws on YouTube I was roaming around the features but most of the places have been found secure or already potential features had the bugs fixes in place. The Community Tab is now Posts So, I thought to exploit Youtube Community feature. I was trying to delete the Posts using IDOR attacks but it didn't work I was tired of trying various attacks but thought to compromise to the least "Privilege escalation".  The Security flaw... A user (victim) created a YT Community post, later an attacker while being an Admin of the same Channel has saved the HTTP Request that deletes a Community Post / Poll, then the attacker can replay that HTTP Request after he's demoted from Admin to Subtitle Editor  that would delete the Post / Poll. I exploited this flaw I tried after 15 ...

Google form setting Bypass - Making my way to the Google's Hall of Fame !

  G o o g l e ! Bug : Circumventing "Limit to 1 response" of  Google forms  ( Parameter Injection )        Discovered on: 30th, November 2016.            Research Time: 2:00 p.m to 9:30 p.m. Earn more by display ads on blog with  Lithific Ads The setting is "Limit to 1 response" which means only one response per user. Once you filled the form there will be no chance to edit the responses or again fill a new form. If you open the form to fill again, the response would be like the image below. There is no way to edit or fill another form (Hurdle 1). I created a test form and checked "Edit after submit". Once this test form is filled I can change the previous response.  I clicked on the "Edit your  response"and intercepted the request.  I changed the form id and forwarded the request. I was able to see the form that was submitted. When I edited the form and submitted, a blank form ...