[WRITE-UP] Irremovable Facebook group album photos and entire album under certain circumstances (Bounty: 1000 USD)
Hi guys, it's Shubham Bhamare again. In this write-up, I'm going to tell you about one of my very simple Facebook bug which was found accidentally as I wasn't in the mood of testing at that time and was just browsing our business group on Facebook.
Due to this issue, Facebook group admin was unable to delete group album photos as well as entire album under certain circumstances.
So without wasting time, let's start! 👉
Setup and Scenario:
1) A Facebook group where only a page (ABC) is an admin.
2) An attacker (XYZ) is a Facebook user who's the member of above group.
Platform: Facebook Web
1) From ABC's perspective, create an album in a group.
2) From XYZ's perspective, add some photos to above album.
3) Now when ABC will try to delete that photos added by XYZ, there won't have any option to delete them. Even though ABC used other platforms like Android/iOS/Lite app, mobile site to delete that photos, it won't be possible.
ABC will only be able to delete his/her own photos. Being an admin of the group, he should be able to delete photos added by other group members. But there wasn't have any option at that time when I reported this issue.
Fix and Bypass:
Team fixed this issue by adding edit button on photos added by other group members. But when I was verifying the fix, I found that if group admin tried to delete entire album (if it includes photos of other members), he/she won't be able to delete it as it was showing an error message.
Impact behind this 2nd issue was, if malicious member added thousand of inappropriate photos to album, then group admin won't be able to delete that entire album. He/she'll have to delete every photo one by one.
Also we can imagine what will happen if multiple group members added thousand of inappropriate photos to that album. 😁
1000 USD (500 USD for initial report and 500 USD for bypassing the fix or for finding 2nd issue)
Apr 21, 2019: Report sent
Apr 24, 2019: Pre-triaged
Apr 27, 2019: Triaged
May 15, 2019: Fixed
May 16, 2019: Fix bypassed/2nd issue found
May 17, 2019: Fixed completely
May 17, 2019: 1000 USD bounty awarded
1) While browsing something (even though you're not in the mood of hunting), always observe whether something's working as intended or not.
2) Don't reveal your findings until you fully believe that there won't be any bypass for it. 😉 Check another endpoints/features too for similar issues.
3) Sometimes you just need logical thinking instead of any advanced tools or knowledge. Because Logic == Magic. 😊
4) If you're new to Facebook bug bounty, try to find logical bugs the most.