



Researcher Vivek Bansal, who had found the bug in 2013 and reported the issue to Facebook team, and in the response Facebook awarded him $2,000 as a bounty reward and also added his name in Facebook Hall-of-Fame. But After a year, Vivek once again re-check the issue and found that the issue still resides on Facebook, that he had reported earlier.





Response of Facebook Team

After re-validating the bug, Vivek once again report it to Facebook, but this time Facebook response was unexpected. The security team from Facebook replied that they were aware that the abuse was still possible in a number of cases. Instead of implementing a patch, the developers created native Share Dialog that allows users to share content from third-party mobile apps without having to disclose sensitive information, such as log-in credentials, with the app.





As there are millions of users who are accessing Facebook via mobile device and this vulnerability leaves the door open for spamming the timeline.

“This system is widely used, but there are a few cases where people use other ways to share. When fewer developers host these dialogs themselves, the situation will improve,” Facebook security team told Bansal in a recent email.



“For now, we’ve implemented a number of systems that help us prevent, detect, and respond to any unwanted posting to people’s Timelines. We use automation to catch abuse, and if we were to find any, we would remove the app and the post(s) immediately and contact the app stores to remove the app,” they added.





Video Demonstration of the Bug

A security flaw in Facebook which was earlier reported under the Facebook bug bounty program is still resides and attacker can still perform the vulnerability. The vulnerability works for some users profiles and allow posting in the timeline by using facebook apps token codes.