Researcher gets $2000 for reporting a logical security bug in facebook group

Manjesh S,  a security researcher  has identified a logical security bug in Facebook group.  Researcher says that though the bug is very simple to exploit, it had a great impact.

The bug allows an attacker to block admin of a Facebook group from ability to remove users or posts.  If an attacker has admin rights, he can just simply block the original admin of the group so that he can't remove the attacker from the group.

If the attacker is just a normal user and block the admin, the admin won't be able to remove the attacker's post in the group.

He informed about this bug to Facebook.  However, at first, they said it is privacy issue and not eligible for a bug bounty.

He found another researcher got $5000 reward for similar kind of security bug.  So he asked facebook why his bug is not eligible for bug bounty.  Later, facebook realized the impact of the bug and rewarded the research with $2000 and listed in Facebook WhiteHat page.
Category: /

Share this with Your friends: