Hello everyone, this is Prajwol from Nepal. This is an explaination about my first bug bounty.
It was during the lockdown time, and I was bored, so I was surfing the internet, where I came across some posts about bug bounty hunting, and I began researching and learning more about it.
Then I heard about a new update on Facebook and Instagram, where an admin can handle messages, updates, and comments, as well as post directly from instagram business page to a Facebook page and I thought to myself, “Why don’t I start looking for bugs?” And in my initial testing, I discovered that when an instagram business owner tries to crosspost to a Facebook page, an error appears; when the page was to be selected for the location of crossposting on Facebook, it displayed a toast saying “you have reached the limited business you can create,”
Even though I was unable to select a page for crossposting, it did display the checked mark for crossposting When I tried to post to the Facebook page, it said the post had been made, but the post was made from my admin id, not the Facebook page.
This could result in admin disclosure, so I immediately reported it to Facebook, and a temporary fix was pushed out by security team.
Timeline of the report:
November 7, 2020: Initial Report Sent
November 11, 2020: more information asked
November 11, 2020: more information sent
November 18, 2020 : triaged
January 15, 2021 : 500$ rewarded
March 3, 2021 : Bug Fixed
Thank you for taking the time to read my article. Have a great day!