The story of my first ever, $xxxx, bounty from Facebook.

I am a complete newbie who has been getting familiar with the concept of bug hunting and penetration testing for just over a couple of month.

The working mechanism of digital technologies always fascinated me. I wanted to explore more about that. I immediately set my foot into this penetration testing field after my final year’s engineering exams.

As I was just learning the basics and side by side I and my sister use to manage a small page with around 100k likes.
We used to use Pages Manager and Lite for managing the page.
After the update v185.0 the application, FB Lite, started acting crazy.
While we were replying to the fan’s post and liking their comments, it was being done from the page owner’s personal id instead of being liked/commented on behalf of the page.
My sister immediately informed me about this weird behavior.
After that I made a poc video of demonstrating the bug and then submitted to the Facebook Security Team.

February 18 — Replied with more elaborated POC.

February 21 — Reproduced on v186.0 as well on my side.

Asked for more information

February 21 — Replied with more info.

Still Not Reproducible.

February 28— Replied with more info again.

After this reply I started getting frustrated and had no clue what‘s going wrong while they were trying to reproduce that issue . Then I remembered I had set up business account.

Immediately, I tried reproducing the bug with another id, where no business account was set.

Things work as intended on that account.

March 7 — Replied with more info.

Finally! They reproduced the bug.

March 10 — And here’s a random screenshot of me being desperate.

March 17 — AGAIN ( Face-palm )

And Finally on April 1

This was my first proper bug that I had reported and it got accepted.
I still have a lot to learn and this is a good milestone and a very good motivating factor for me to continue my journey to penetration testing.

Thank you so much to the guys of NepSec who are awesome as always.
and we can be friends over Facebook . Don’t hesitate to hit me up with intro so that we could share knowledge .

Follow Infosec Writeups for more. :)




I know a few things about computers.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Setup VulnHub Machines

A tale of my first ever full SSRF bug


FalconFriday — Teams RCE & FireEye tools— 0xFF09

5 Myths of contactless payments security

Send ERC20 Token or ETH to thousands of addresses out in 1 minute.

FAQ: ARS, Subscription and Whitelist

{UPDATE} Tic Tac Toe-Kids Fun Puzzle Gratis Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ashok Chapagai

Ashok Chapagai

I know a few things about computers.

More from Medium


How I Was Able To TakeOver Any Account On One Of Europe's Largest Media Companies

Hacker Interview #2: Alvin “Steiner254”

Bug Bounty: How to get private invites