Hi , I am Aashish Jung Kunwar from Dhangadhi , Nepal . Today I am back with a new writeup . The writeup is about how I got my 3rd bounty after reporting a Functional security issue to Facebook Security Team .
Proof Of Concept :
What I Submitted :
ADMIN CANNOT REMOVE DEACTIVATE USER FROM GROUP CHAT
Admin of group chat cannot remove deactivate user .
Dead Facebook user with active messenger remains as Group member permanently. So, Admin should have access to remove deactivate user too .
Users: UserB , GroupA , AdminA .
Environment: UserB and AdminA are members of GroupA where AdminA is admin . UserB deactivated Facebook but using messenger .
App version: Facebook Lite
1. AdminA tried to remove UserB from GroupA .
2. UserB wasn’t removed .
They replied in less than 1 hour :
We’re having a hard time reproducing the issue described in your report. Please reply with reproduction instructions (images and video would be helpful). In our testing we were able to remove deactivated users, can you verify if this is still reproducible by creating a new group and adding few test accounts then trying to remove one of them.
I replied back with POC Video of Reproduction .
We still are unable to reproduce, in our testing the removal part works just fine in FBLite, we are using FBDL test accounts to reproduce. Could you specify which build version you have of FBLite and also which phone model/make you are using, and are you using test accounts or real accounts. If you can reproduce with FBDL test users, can you provide video PoC for that?
And, again they were unable to reproduce . Then, I was flabbergasted first off and I answered :
I have tried using test accounts too . Using test accounts, we cannot deactivate messenger only and if we want to reactivate messenger only , it automatically reactivates Facebook account . So , it is impossible to reproduce using test accounts .
App version : 253.0.0.8.119
Phone Model : Samsung Galaxy J4
They closed the report as informative because report didn’t meet bar for monetary reward :
Thanks for writing in.
We have discussed the issue at length and concluded that, whilst you reported a valid issue which the team may make changes based on, unfortunately your report falls below the bar for a monetary reward.
This is because the user still appears in the member list, therefore users in the chat can chose not send messages that they don’t want to be seen by that user. Note that if the user was hidden from the members list when they deactivated their account, that would have been a valid issue. In this case we consider this issue to be low impact and not eligible for a monetary reward.
I wish you luck in your continued bug hunting.
I wasn’t satisfied .Then, I answered :
The deactivate member can easily see every messages of groups . S/he can do chat in group easily . S/he has only deactivated Facebook not messenger. That’s why none can remove him/her from group . So, it should be a issue with have high impact. Furthermore , what if the deactivate user is admin . The admin cannot be removed from group . Isn’t this irremovable GroupChat admins and members ?
Finally , they triaged the report :
Thank you for the additional explanation and thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you updated on our progress.
Then , I was so happy that the issue will surely qualify for bounty and I replied :
Good to know the report is being sent to the appropriate product team for further analysis!
I am looking forward to hearing from the team for further updates soon .
Fixed messaged :
We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not resolve this issue. We will follow up regarding any bounty decisions soon.
I answered :
I can confirm that vulnerability seems to be patched in my side as well.
And, thank you for reply.
And , Finally wait is over and they rewarded me bounty :
With $25 as bonus :
PoC Video of Reproduction: https://youtu.be/3QWrugm8mk8
Timeline of report :
Initial Report : 7 June 2021
Closed as Informative : 8 June 2021(Because bug didn’t meet bar of monetary reward)
Triaged : 8 June 2021 (After Further discussion)
Fixed : 18 June 2021
Bounty Awarded : 23 July 2021