A high impact privacy bug was found in Facebook’s Android application by a young bug bounty hunter. The 19 year old hacker received a $4,500 bug bounty for an easy-to-exploit vulnerability found in the application which allowed users to reveal the identify of page administrators.
Sudip Shah discovered an insecure direct object reference (IDOR) vulnearbility which could allowe an attacker to disclose the identity of a page administrator. He is describing how he found the vulnerability in his medium post.
Sudip Shah told The Daily Swig:
“While intercepting and navigating to any page’s live video section in Facebook Android, I found a vulnerable endpoint,” .
“When the page_id in a request is changed to any page_id then the page admin is disclosed in the response in the broadcaster_id parameter.”
“This could be escalated further to fetch the admin information of a huge number of pages by creating a script… and capturing the admin information from the broadcaster_id in the response to a new text file.”
This is a severe information disclosure bug if someone finds the admin’s personal account. For example, many celebrities and huge personalities operate through Facebook pages, so if their personal Facebook account is disclosed then it’s like getting their personal phone numbers, which is a great problem to their privacy.
Facebook Awarded $4,500 for the Finding
Sudip reported the bug to Facebook security team in October 5 2021 and triaged the report on October 7. They fixed the vulnerability on October 21, and awared him with $4,500 on November 5.
Shah is currently ranked number 38 in Facebook’s bug bounty Hall of Fame.