Demographic Misconfiguration on Facebook live

Prajwol Dhungana
2 min readMar 9, 2022

--

Hi there, I am with a new bug bounty writeup that I recently found.

In facebook there is an ability for page admin to crosspost the live video to their second page with audience restriction.

When the live video is shared with audience restriction(eg: age 25+, women, and region as Nepal). When the live video was shared crossposting to the next page, during the live session the restricted users were not able to view the live video but when the admin decides to post that live video in both page. The first page from where the live video was started the video gets post customly but the second page where the live video was crossposted posts the live video publically.

Timeline:

December 12, 2021: Initial report sent

December 23, 2021: Closed as Informative

December 29, 2021: I opened the report with further clarification

Janaury 13, 2022: Triaged

February 23, 2022: Bounty rewarded+ time delay bonus

March 3, 2022: Confirmation of fix from Facebook and me

Later, this issue was incomplete fix and when I re-reported the problem, they responded that there are several methods to get around audience settings, such as establishing an account with a different age or using a VPN to shift countries. As a result, we do not consider audience bugs to be privacy breaches, and we will not compensate users who report them.

Poc: https://youtu.be/F9jFG8NkEEU

Thank you for taking the time to read my article. Have a great day!

You can follow me on Facebook or Instagram if you would like to stay connected with me.

--

--