Tagged User Could Delete Facebook Story

I recently reached Bronze Hacker Plus League on the Facebook bug bounty program. So today, I will be sharing one of my recently resolved reports. Most of the security bugs I found on the Facebook platform are simple, and I didn’t even use proxy tools to find them.

Description

The issue exists in the Facebook android app (version 331.1.0.29.117), where a tagged user could take down the story by just removing the tag.

When Alice tagged Bob in her story, and Bob decided to untag himself for some reason, it would produce an error upon clicking the “Remove Tag” button and triggers the deletion instead of only removing the tag.

If users want to take down a story, they should message the person who posted it because only owners could delete it. If a story is against the Facebook TOS, you can report it and let Facebook handle everything.

Setup

We need two real accounts (Alice and her friend, Bob). You can use FBDL for this, but I can’t reproduce the issue using test accounts for an unknown reason.

Reproduction Steps

  1. Alice creates a story
  2. Alice tag Bob in the story
  3. Alice shares the story
  4. Bob receives a message that he got tagged in Alice’s story
  5. Bob wants to remove the tag
  6. Bob clicks the “Remove Tag” button from the story option
  7. Bob receives an error message
  8. Alice’s story got deleted

Timeline

August 18, 2021 — Issue reported

August 23, 2021 — Triaged

September 15, 2021 — Fixed by Facebook

September 22, 2021 — Bounty awarded by Facebook

After reviewing this issue, we have decided to award you a bounty of $3cr3t. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd and HackerOne.

A user who is tagged in a FB Story could delete the Story by removing the tag.

Only the owner of the story should be able to delete the story, removing a tag on the story should not trigger deletion.

Thank you again for your report. We look forward to receiving more reports from you in the future!

--

--

--

Penetration Tester | Software Engineer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Script to save precious time for encrypting or decrypting Mule secure properties

Cybersecurity 2030

{UPDATE} The Joker Riddle Hack Free Resources Generator

How to build a malware analysis lab

Malware image

A short introduction to the YFI3 Team

Imagine the US Was Just Hit With a Cyberattack. What Happens Next?

Pipes in the sewer with red eyes appearing and disappearing in different spots.

Threat Intelligence

How the North Korean Hackers Behind WannaCry Got Away With a Stunning Crypto-Heist

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mark Rhoy

Mark Rhoy

Penetration Tester | Software Engineer

More from Medium

AppSec Series 0x04: Crowdsourcing Security

InSecure Design Vulnerabilities: What are they and Why they Occurs

Bypassing IP Based Blocking with IP Rotate Burp Extension.

Log4Shell : A critical 0 Day