Yeah, you read that title right. I wasn’t initially planning to blog about this bug because there is no technicality on this particular issue, but since it has been too long since me and my colleague Prakash had been planning to write write-ups about our Bug Bounty Bugs and experience, and all we did for more than a year was procrastinate, so we decided to kick off our blog with this issue. In this blog me and Prakash will share our bug bounty experience, bugs and discuss about other stuffs related to security, well mostly Web-Security.
Moving to the bug now, i think most of you haven’t believed me yet, and if you haven’t go check it out for yourself.
See, Mark did left his job at Facebook. No!! Not literally though. What i did was change this post ( https://www.facebook.com/zuck/timeline/story?ut=32&wstart=-2051193600&wend=2147483647&hash=971179541251&pagefilter=3&ustart=1&__mref=message_bubble )which is a life event by Mark about starting his job at Facebook and manipulated it to appear as if Mark has quit his job at Facebook. This bug is applicable to every user on Facebook who has his work status published on Facebook.
As i said there is no technicality in this issue so some of you might have already figure out what i did. All i did was took original link ( https://www.facebook.com/zuck/timeline/story?ut=32&wstart=-2051193600&wend=2147483647&hash=971179541251&pagefilter=3&ustart=1&__mref=message_bubble ) and remove the ustart=1 parameter and BAM!! the work status of Mark Zuckerburg changed.
For me this issue was a MUST FIX issue because although on a client side the post is coming from a valid user and there is no way to figure out that the post has been manipulated and has not been posted by a user. I already reported this bug to Facebook and they decided of not fixing this. So yeah, GO FIND ANOTHER BUG, Sachin.
Follow me on Twitter : https://twitter.com/sachinnthakuri