Second bug bounty!!
Hello there, this is prajwol, and this blog is about my second Facebook bounty that I recently received.
Okay, I handle a page named as savage thoughts it was during the beginning of lockdown and I was scrolling on facebook lite and then a notification poped up saying somebody commented on a post in savage thoughts. Then I opened the notification and I saw no comments there and I was wondering was the comment deleted? then I quickly loged in to original version of Facebook and opened the notification and saw the comment that was recently posted.
Then, I opened fblite again and refreshed it again and again but the comment didn’t showup and there was no option to control the showup like: All comments, most relevant, newest and at the bottom of the comment I saw most relevant comment are shown and isn’t it the privacy issue here?
Then I quickly wrote a report like
Title : page admin cannot moderate all comments
Vuln Type : Other
Product Area : FBLite
Description/Impact : Complete Details
Hello there, when a similar individual comments on a post more than once, an admin is unable to see all of the comments; by default, only the most important comments of that post are shown. The admin cannot see any of the comments on that post; instead, only a single comment from a single user is shown.
Impact
since the page and page activities are managed by admins, editors, and all other page positions If a malicious person or another person makes some sort of vulgar remark that can be seen by the wrong audience (children), the page’s credibility will be tarnished. Such information is available to everyone in the audience. The page’s engagements can also decrease.The page managers cannot manage those comments(hide,delete,block) those malicious users.
Repro Steps : Setup
===
Users: [user A as an admin and user B as a malicious user]
Environment: [user B comments on a post in a page named public]
App version: [facebook lite: 250.0.0.8.120]
Description: when user B comments in a post in page named public first time with a normal comment and second time with vulgar or in appropriate comment then user A receives a notification(user B commented on a post) when the admin opens the notification then the admin cannot see second comment admin can only see the first comment as a most relevant comment by default and also cannot view other comments which is kind of desatisfying to an admin as a page manager.
Then they replied;
Hi Prajwol,
Thank you for the report. For me, when I click on the comments and select “all comments”, all comments do show up.
Given that admin can change the setting of which comments show up, the admin does have the option to moderate all comments.
As such, I am closing this report.
Thanks,
………….
Security
The reason they closed my report was they used facebook version rather then fblite to reproduce this issue then I reopened the report saying;
Hey ………..
I hope you tested this capability with the Facebook lite version, where there is no option to adjust the showup and only the most relevant comments are displayed by default.
What I discovered was that comments with different formats do not show up, such as one with emoji and the next with plain text; only the first posted comment appears. Yes, it has showed the most relevant one, however the page handlers are at risk.
I recommend that you utilize the lite version as an admin and the other platform as a commentor for your convenience. When a commentor comments on a post many times in different formats, the comment does not appear to admin , and there is no way to modify the most relevant option to show all comments in the lite version of Facebook.
I’ve also added several attachments here.
Thanks
Have a good day
Then only they were able to reproduce the report,
Timeline of the report:
Saturday, May 15, 2021: Initial report sent
Sunday, May 16, 2021: unable to reproduce, asked for more information
Sunday, May 16, 2021: more information sent
Thursday, May 20, 2021: closed as informative because they tested it in another platform to reproduce it
Friday, May 21, 2021: reopened report and further clarification sent
Thursday, June 3, 2021: Triaged
Friday, July 23, 2021: Fixed and rewarded $XXX with 5% payout bonus