Demographic Misconfiguration on Facebook live

Hi there, I am with a new bug bounty writeup that I recently found.

In facebook there is an ability for page admin to crosspost the live video to their second page with audience restriction.

When the live video is shared with audience restriction(eg: age 25+, women, and region as Nepal). When the live video was shared crossposting to the next page, during the live session the restricted users were not able to view the live video but when the admin decides to post that live video in both page. The first page from where the live video was started the video gets post customly but the second page where the live video was crossposted posts the live video publically.

Timeline:

December 12, 2021: Initial report sent

December 23, 2021: Closed as Informative

December 29, 2021: I opened the report with further clarification

Janaury 13, 2022: Triaged

February 23, 2022: Bounty rewarded+ time delay bonus

March 3, 2022: Confirmation of fix from Facebook and me

Later, this issue was incomplete fix and when I re-reported the problem, they responded that there are several methods to get around audience settings, such as establishing an account with a different age or using a VPN to shift countries. As a result, we do not consider audience bugs to be privacy breaches, and we will not compensate users who report them.

Poc: https://youtu.be/F9jFG8NkEEU

Thank you for taking the time to read my article. Have a great day!

You can follow me on Facebook or Instagram if you would like to stay connected with me.

--

--

--

Nepali🇳🇵

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The “uncanny” feeling in David Claerbout’s Unseen Sound

CoinBurp NFT Artist Interview Series — Uzzi_FX

Air Saint-Pierre ATR 42–500 [F-OFSP] Landing and Takeoff at Montréal-Trudeau

A Sunday morning drive to Half Moon Bay.

Final Cut Pro: How to Get Started

Vogue China | Photographed by Cameron Krone

Costa Rica Project Gallery

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prajwol Dhungana

Prajwol Dhungana

Nepali🇳🇵

More from Medium

CVE-2021–43798 Grafana | Vulnerabilidade de leitura arbitrária não autorizada de arquivos

Broken Link Hijacking - Mr. User-Agent

Writeup: CSRF vulnerability with no defenses @ Portswigger Academy

IDOR leads to 2fa Bypass