My First Bug Bounty

Hello everyone, this is Prajwol from Nepal. This is an explaination about my first bug bounty.

It was during the lockdown time, and I was bored, so I was surfing the internet, where I came across some posts about bug bounty hunting, and I began researching and learning more about it.

Then I heard about a new update on Facebook and Instagram, where an admin can handle messages, updates, and comments, as well as post directly from instagram business page to a Facebook page and I thought to myself, “Why don’t I start looking for bugs?” And in my initial testing, I discovered that when an instagram business owner tries to crosspost to a Facebook page, an error appears; when the page was to be selected for the location of crossposting on Facebook, it displayed a toast saying “you have reached the limited business you can create,”

Even though I was unable to select a page for crossposting, it did display the checked mark for crossposting When I tried to post to the Facebook page, it said the post had been made, but the post was made from my admin id, not the Facebook page.

This could result in admin disclosure, so I immediately reported it to Facebook, and a temporary fix was pushed out by security team.

Timeline of the report:

November 7, 2020: Initial Report Sent

November 11, 2020: more information asked

November 11, 2020: more information sent

November 18, 2020 : triaged

January 15, 2021 : 500$ rewarded

March 3, 2021 : Bug Fixed

Thank you for taking the time to read my article. Have a great day!

You can follow me on Facebook or Instagram if you would like to stay connected with me.