Facebook decided to increase a researcher’s bug bounty payout after discovering that that a bug he reported could lead to account takeover.
In September 2017, security researcher Josip Franjković discovered an issue with Facebook’s partners portal, which leaked users’ email addresses. The bug was discovered after one of the researcher’s sites was approved to participate in the Free Basics project by Facebook.
What the researcher discovered was a medium-high impact privacy bug where adding a new admin user would leak their email address in subsequent notification emails.
Basically, for a newly added admin, the notifications emails would contain the admin’s primary Facebook email through a parameter in one of the links, the security researcher discovered.
To reproduce the bug, one would simply head to the Settings section at https://partners.facebook.com/fbs/settings/, add a name, and enter an email they control in the email field.
Next, they should simply hit the “Add” button, intercept the POST request to /mobile/settings/requirements/save/, and modify the values [settings.users.userstablecontainer.user_id] GET parameter to the ID of the victim whose email they would like to reveal, then forward the request.
Thus, the email Facebook sends to the user’s controlled address contains the victim’s primary mail as part of <a href link >, the security researcher found.
Franjković reported the discovery on September 30, 2017, and Facebook informed him a couple of days later that they fixed an account takeover vulnerability in their platform. The original privacy leak bug, however, was resolved only in late October, after the researcher informed the company the exploit would still work.
After requesting more information from Facebook, the researcher found that the bug he discovered could result in the leaking of login codes. One other parameter in the email link could “potentially be used to login to the user’s account (with some restrictions),” the researcher explains.
The feature, however, wasn’t enabled for the researcher’s account, so he could not notice it in the first place.
“Thank you Facebook’s security team for being (more than) fair – they could have awarded only the email leak bug, and I would never know this was an account takeover,” the researcher notes.
Facebook too has confirmed that, after analyzing the bug reported by Franjković internally, the security team discovered that it could potentially allow an attacker to gain access to another account.
“We did a complete review and we determined that there is no evidence that these tactics were used or that personal information was exposed,” a post by the Facebook Bug Bounty team reads.
Franjković confirmed in an email discussion with SecurityWeek that Facebook increased the paid bounty to reward him for the more important vulnerability. While he wouldn’t reveal the exact amount he received, he did say it was his biggest bounty to date.