How I got my First $$$$ bounty from finding a bug in Facebook By Aashish Kunwar:

Aashish Kunwar

 How’s it going on, guys? Today, I will be showing you what exactly I did to get the bug that I discovered qualify for the Facebook Bug Bounty Program which made me earn $1000 as a reward from the Facebook Security Team and became the youngest facebook bug hunter from Nepal .{Till now}

How I started bug hunting :

I have a quite different story than other bug hunters . I didn,t know how to turn on computer till when i was in grade 9. After the Lockdown began in Nepal , i got acess to use mobile phone . Then i started using facebook . While using facebook , I met Saurav Subedi . He approached me to be a admin of Nepal Educational Hub (One of the largest educational Facebook group of Nepal ) in Chaitra 11, 2076(24 March,2020). The situation was full of corona pandemic . All the schools , colleges and educational institution were closed . And , Nepal Educational Hub was only one platform to continue the environment of learning . We started sharing notes, solutions , problems in NEH with common motto of “Help and Be Helped “ . Being admin i found a lot of errors while managing the group and page . But , i don,t know about how to report those errors to facebook . After I came to know that Saugat Pokharel is one of the facebook bug hunters from Nepal then i messaged him and started asking about this platform . He responded to my questions . Then, he became my inspiration to this field . Morever , i was inspired by Binit Ghimire, Anubhav Thapa, Ujjwal Gautam ,Bishal Shrestha ,Baibhav Anand Jha ,Kunjan Nayak, Kailash Bohara ,Asmin Bhujel to this field . They are also the bug hunters from Nepal . I learned a lot of things from them too .Moreover, Bijay Acharya , Purushottam Shukla and Abhiyan Chhetri are my inspirations not only in bug bounty but also in field of leadership .

I reported my first bug on November 24 , 2020 and went duplicate . I was so sad to know that my first report was duplicate .But I never gave up and began to hunt bug and kept on reporting. Again , most of them went duplicates . Finally I nailed it and created history as youngest facebook bug hunter from Nepal . And, rewarded with bounty reward of 1000$ from Facebook .

About the bug :

Personal and Page Profile Interaction error in Facebook group . (The voice selector failed to work correctly ). I found a security issue while I was doing comment via personal profile it was done from the Facebook page.

What I Submitted :

Title : COMMENT GOES FROM PAGE PROFILE INSTEAD OF PERSONAL PROFILE .

Vuln Type: Identification / Deanonymization

Product Area :Facebook — Android

Complete Details :

UserOne who is the member of GroupOne with his profile and his page PageOne.

When UserOne comments on group post in GroupOne the comment goes as PageOne instead of UserOne.

Impact:

Interaction happens as page profile instead of personal profile .

Repro steps:

Setup:

Users: A is personal profile , B is page , C is group

Environment: UserOne who is the member of GroupOne and also his PageOne is also the member of the group is interacting with GroupOne’s Post.

App version: Facebook for Andriod

Steps:

1.Logged in facebook as UserOne .

2.Then posted in GroupOne interacting as UserOne.

3.UserOne commented in that post but comment went through PageOne profile.

Video of Reproduction : https://youtu.be/kk5U_6L0hkI

Timeline :

Initial report : 18 December 2020

Reproduced: 22 December 2020

Triaged: 23 December 2020

Fixed: 24 March 2021

Confirmation of Fix : 24 March 2021

Rewarded {$$$$}:9 April 2021