Demographic Misconfiguration on Facebook live
Hi there, I am with a new bug bounty writeup that I recently found.
In facebook there is an ability for page admin to crosspost the live video to their second page with audience restriction.
When the live video is shared with audience restriction(eg: age 25+, women, and region as Nepal). When the live video was shared crossposting to the next page, during the live session the restricted users were not able to view the live video but when the admin decides to post that live video in both page. The first page from where the live video was started the video gets post customly but the second page where the live video was crossposted posts the live video publically.
Timeline:
December 12, 2021: Initial report sent
December 23, 2021: Closed as Informative
December 29, 2021: I opened the report with further clarification
Janaury 13, 2022: Triaged
February 23, 2022: Bounty rewarded+ time delay bonus
March 3, 2022: Confirmation of fix from Facebook and me
Later, this issue was incomplete fix and when I re-reported the problem, they responded that there are several methods to get around audience settings, such as establishing an account with a different age or using a VPN to shift countries. As a result, we do not consider audience bugs to be privacy breaches, and we will not compensate users who report them.