How’s it going on, guys? Today, I will be showing you what exactly I did to get the bug that I discovered qualify for the Facebook Bug Bounty Program which made me earn $750 as a reward from the Facebook Security Team.

This article consists of detailed information regarding the bug, my bug report to Facebook along with the embedded Proof-of-Concept video. The bug could have let a malicious Facebook user to add a comment on any live stream even though the streamer allows only friends to comment on his/her live stream.

How did I manage to get the Bounty?

Everything started out on October 4, 2018. A friend of mine had shared a live stream of a person who was kicked out from a reality television show for misbehaving with the main judge of the show. I decided to watch the live stream. I wanted to comment something on it such as Hello!, but it didn’t display the comment box at the bottom of my Android screen since the live streamer wasn’t a friend of mine. The only thing I could do was to share or react to the live stream. However, I found a way to comment Hello! in the live stream.

Then, I decided to create a bug report and submit it to Facebook. Before and after submitting, I asked if the bug would qualify or not for the Facebook Bug Bounty Program to some of my friends who were working in the technical field as well-established bug hunters and web/software developers. I was 99% sure that the bug wouldn’t qualify for the bug bounty program both before and after submitting the bug report. However, after nearly a month of submitting the vulnerability report to Facebook, the chances of getting rewarded from Facebook Security Team started getting higher when they replied back to me mentioning that they resolved the issue and they would get back to me when they are finalized with their bug bounty decisions.

What exactly did I do?

I just commented on a live stream of a person who isn’t my friend and doesn’t allow anyone except friends to comment in his/her live stream.

What I needed to reproduce the bug?

My Facebook account

An account which isn’t a friend of mine and allows only Friends to comment on posts

A running or an ended live stream on that non-friend’s account

How did I comment?

Step 1

I visited the profile of the person who isn’t my friend and allows only friends to comment on his/her posts.

Step 2

I scrolled down until I found a live stream on his/her profile and opened the live stream.

Step 3

Facebook had launched a new feature which allows people to create quick comments in live streams without having to type general text like Hello, thumbs up and other emojis. This quick comment area appears in every live stream and you just have to press on one of the quick comment buttons and it gets commented in the live stream.

Similarly, I saw this area in the live stream of the non-friend Facebook user. I decided to press on any of the quick comment buttons and it got commented in the live stream. It didn’t even display an error or any limitation message. To be sure, I tried again and it got commented again and when I checked the comments list later on, I found my comment there.

What I reported to Facebook? [the entire Facebook Bug Report]

I went to the Facebook’s Report Vulnerability Form in the Facebook Whitehat webpage and reported the vulnerability to Facebook on October 5, 2018.

Title: Unauthorized Comments on Facebook Live Streams

Vulnerability Type: Privilege Escalation

Product Area: Facebook – Android

Description/Impact:

Hello, sir!

I am Binit Ghimire.

I found a bug on Facebook. Here’s how I discovered the vulnerability.

Suppose there is a person who isn’t a friend of mine on Facebook.

That person allows only “Friends” to comment in posts, pictures and videos.

When that person goes live on Facebook and I watch the live stream, there appears “Share” button and reaction buttons. Just above the reaction and “Share” buttons, there appear text like “Hello”, tears-of-joy emoji, heart emoji, etc. in the live stream.

When I click on any of those, it gets commented, even though it wasn’t meant to be commented there. I have submitted 2 screenshots regarding this bug along with this report. I hope this bug gets resolved soon. My Facebook Profile: https://www.facebook.com/InternetHeroBINIT

My Email: thebinitghimire@gmail.com

Reproduction Steps:

Setup

=====

1. An account which isn’t your friend and allows only Friends to comment on posts.

2. Your Facebook account

3. The person who isn’t your friend and allows only Friends to comment on posts needs to start a live stream. Reproduction Steps

==================

1. Open the live stream.

2. You will see Share button, reactions button and above these, you will see some text like “Hello”, tears-of-joy emoji, heart emoji, etc. as shown in “photo1.jpg”. What you need to do here is, click on these text for commenting. It will be commented on the live stream with your Facebook account even though the live streamer doesn’t allow outsiders to comment on his/her posts.

Attachments:

photo2.jpg

photo1.jpg

The two screenshots which I kept earlier in this article are the exact same photos that I submitted to Facebook.

After submitting this bug report, I got a reply immediately from Facebook on October 5, 2018 which is an automatic response for every bug report upon submission mentioning the report number along with a message that says they require certain time to investigate and mitigate the issue as well as their right to publish my bug report.

Further Information regarding the Vulnerability

Later, on October 9, they replied back to me with the following text:

Hi Binit, Can you provide a video showing how you a “non-friend” of the user who posted their Live Stream got access to see it to be able to click on these options? Thanks, Hatice

Security

Then, I responded back in the same bug report with a Proof-of-Concept video regarding the vulnerability on the same day (October 9).

This is what my response looked like:

Here’s a video (attached with this response) where I am showing how I became able to click on these options to comment on a live stream of a user who isn’t my friend and allows only friends to comment. Attachments 🔗 Unauthorized Comments on Facebook Live Streams.mp4