Tagged User Could Delete Facebook Story
I recently reached Bronze Hacker Plus League on the Facebook bug bounty program. So today, I will be sharing one of my recently resolved reports. Most of the security bugs I found on the Facebook platform are simple, and I didn’t even use proxy tools to find them.
Description
The issue exists in the Facebook android app (version 331.1.0.29.117), where a tagged user could take down the story by just removing the tag.
When Alice tagged Bob in her story, and Bob decided to untag himself for some reason, it would produce an error upon clicking the “Remove Tag” button and triggers the deletion instead of only removing the tag.
If users want to take down a story, they should message the person who posted it because only owners could delete it. If a story is against the Facebook TOS, you can report it and let Facebook handle everything.
Setup
We need two real accounts (Alice and her friend, Bob). You can use FBDL for this, but I can’t reproduce the issue using test accounts for an unknown reason.
Reproduction Steps
- Alice creates a story
- Alice tag Bob in the story
- Alice shares the story
- Bob receives a message that he got tagged in Alice’s story
- Bob wants to remove the tag
- Bob clicks the “Remove Tag” button from the story option
- Bob receives an error message
- Alice’s story got deleted
Timeline
August 18, 2021 — Issue reported
August 23, 2021 — Triaged
September 15, 2021 — Fixed by Facebook
September 22, 2021 — Bounty awarded by Facebook
After reviewing this issue, we have decided to award you a bounty of $3cr3t. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd and HackerOne.
A user who is tagged in a FB Story could delete the Story by removing the tag.
Only the owner of the story should be able to delete the story, removing a tag on the story should not trigger deletion.
Thank you again for your report. We look forward to receiving more reports from you in the future!
