Member-only story
This is How I Turned an Informative Bug into a Valid $500 Bug
In this write-up, I have shared the story of a simple Facebook bug where the Activity Log and Hacked Flow features weren’t working as intended.
✨ Non-members can read this write-up for free using this link.
Hi everyone, it’s Shubham Bhamare again with a new bug bounty write-up. Today, I’m going to share the story of how I turned an “Informative” bug into a valid $500 bug. This was one of the most interesting findings of my life and a very simple one as well. The target platform was, of course, Facebook 😅
The best part? This bug was found just by observation, like many of my previous findings.
So, without further ado, let’s get started! 👉
Description:
Let me give you a brief description of this bug. Facebook has two security features: Activity Log and Hacked Flow.
- The Activity Log allows users to view their recent comments, likes, and other activities on Facebook.
- The Hacked Flow is designed to help users undo suspicious activities if they believe their account has been compromised.
During my testing, I found that these features were not working as intended for some sponsored posts. If a user liked or commented on such posts, those activities were not showing in the Activity Log or the Hacked Flow.
Impact:
All comments and likes made by a user should be displayed in the Activity Log and Hacked Flow, allowing users to review their actions and undo activities made either by mistake or by an attacker if their account is compromised.
However, since the comments and likes on certain posts were not showing in the Activity Log or Hacked Flow:
- Attackers could have exploited this issue to trick victims, as the victims wouldn’t have been able to trace those activities.
- Victims couldn’t see their recent activities, making it hard or almost impossible for them to undo suspicious actions.
Now, let’s skip the reproduction steps since I believe you’ve already got an idea about the bug…
