The story of my first ever, $xxxx, bounty from Facebook.

I am a complete newbie who has been getting familiar with the concept of bug hunting and penetration testing for just over a couple of month.

The working mechanism of digital technologies always fascinated me. I wanted to explore more about that. I immediately set my foot into this penetration testing field after my final year’s engineering exams.

As I was just learning the basics and side by side I and my sister use to manage a small page with around 100k likes.
We used to use Pages Manager and Lite for managing the page.
After the update v185.0 the application, FB Lite, started acting crazy.
While we were replying to the fan’s post and liking their comments, it was being done from the page owner’s personal id instead of being liked/commented on behalf of the page.
My sister immediately informed me about this weird behavior.
After that I made a poc video of demonstrating the bug and then submitted to the Facebook Security Team.

February 18 — Replied with more elaborated POC.

February 21 — Reproduced on v186.0 as well on my side.

February 21 — Replied with more info.

February 28— Replied with more info again.

After this reply I started getting frustrated and had no clue what‘s going wrong while they were trying to reproduce that issue . Then I remembered I had set up business account.

Immediately, I tried reproducing the bug with another id, where no business account was set.

Things work as intended on that account.

March 7 — Replied with more info.

Finally! They reproduced the bug.

March 10 — And here’s a random screenshot of me being desperate.

March 17 — AGAIN ( Face-palm )

And Finally on April 1

This was my first proper bug that I had reported and it got accepted.
I still have a lot to learn and this is a good milestone and a very good motivating factor for me to continue my journey to penetration testing.

Thank you so much to the guys of NepSec who are awesome as always.
and we can be friends over Facebook . Don’t hesitate to hit me up with intro so that we could share knowledge .
#BugBounty

Follow Infosec Writeups for more. :)

I know a few things about computers.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store