Second bug bounty!!

Prajwol Dhungana
4 min readJul 23, 2021

--

Hello there, this is prajwol, and this blog is about my second Facebook bounty that I recently received.

Okay, I handle a page named as savage thoughts it was during the beginning of lockdown and I was scrolling on facebook lite and then a notification poped up saying somebody commented on a post in savage thoughts. Then I opened the notification and I saw no comments there and I was wondering was the comment deleted? then I quickly loged in to original version of Facebook and opened the notification and saw the comment that was recently posted.

Then, I opened fblite again and refreshed it again and again but the comment didn’t showup and there was no option to control the showup like: All comments, most relevant, newest and at the bottom of the comment I saw most relevant comment are shown and isn’t it the privacy issue here?

Then I quickly wrote a report like

Title : page admin cannot moderate all comments

Vuln Type : Other

Product Area : FBLite

Description/Impact : Complete Details

Hello there, when a similar individual comments on a post more than once, an admin is unable to see all of the comments; by default, only the most important comments of that post are shown. The admin cannot see any of the comments on that post; instead, only a single comment from a single user is shown.

Impact

since the page and page activities are managed by admins, editors, and all other page positions If a malicious person or another person makes some sort of vulgar remark that can be seen by the wrong audience (children), the page’s credibility will be tarnished. Such information is available to everyone in the audience. The page’s engagements can also decrease.The page managers cannot manage those comments(hide,delete,block) those malicious users.

Repro Steps : Setup

===

Users: [user A as an admin and user B as a malicious user]

Environment: [user B comments on a post in a page named public]

App version: [facebook lite: 250.0.0.8.120]

Description: when user B comments in a post in page named public first time with a normal comment and second time with vulgar or in appropriate comment then user A receives a notification(user B commented on a post) when the admin opens the notification then the admin cannot see second comment admin can only see the first comment as a most relevant comment by default and also cannot view other comments which is kind of desatisfying to an admin as a page manager.

This is how the commenter in post see

Then they replied;

Hi Prajwol,

Thank you for the report. For me, when I click on the comments and select “all comments”, all comments do show up.

Given that admin can change the setting of which comments show up, the admin does have the option to moderate all comments.

As such, I am closing this report.

Thanks,

………….

Security

The reason they closed my report was they used facebook version rather then fblite to reproduce this issue then I reopened the report saying;

Hey ………..

I hope you tested this capability with the Facebook lite version, where there is no option to adjust the showup and only the most relevant comments are displayed by default.

What I discovered was that comments with different formats do not show up, such as one with emoji and the next with plain text; only the first posted comment appears. Yes, it has showed the most relevant one, however the page handlers are at risk.

I recommend that you utilize the lite version as an admin and the other platform as a commentor for your convenience. When a commentor comments on a post many times in different formats, the comment does not appear to admin , and there is no way to modify the most relevant option to show all comments in the lite version of Facebook.

I’ve also added several attachments here.

Thanks

Have a good day

This is how admin sees the comments

Then only they were able to reproduce the report,

Timeline of the report:

Saturday, May 15, 2021: Initial report sent

Sunday, May 16, 2021: unable to reproduce, asked for more information

Sunday, May 16, 2021: more information sent

Thursday, May 20, 2021: closed as informative because they tested it in another platform to reproduce it

Friday, May 21, 2021: reopened report and further clarification sent

Thursday, June 3, 2021: Triaged

Friday, July 23, 2021: Fixed and rewarded $XXX with 5% payout bonus

Thank you for taking the time to read my article. Have a great day!

You can follow me on Facebook or Instagram if you would like to stay connected with me.

--

--