Whenever we develop a application, we do lot of tests. Even though, it is prone to bugs. When it comes to applications like Facebook, a bug can cause lot of damage to them.
This blog is about the a security vulnerability which i found on Facebook. I’ve already disclosed it to Facebook and I received a $1500 reward for my work.
Normally in Facebook, when a user is blocked, both the blocker and the blockee cannot exchange messages.
There is an alternate method to send messages, that is through Email (Update: The feature is currently removed from Facebook).
Consider John and Albert are two users.
John has used firstname.lastname@example.org to create a account on facebook and Albert has used email@example.com to create account on facebook.
Now John can send message to Albert’s Facebook Inbox by sending mail to Albert@facebook.com through his registered Email and vice-versa.
If John blocks Albert, then John cannot send message to Albert Facebook through Facebook. It should block John’s Email to Albert if he sends firstname.lastname@example.org, because john has used this email id to create an account in facebook, and this information is available with facebook.
So i’ve to check 4 test cases.
1. John should NOT be able send message to Albert through Facebook
2.Albert should NOT be able send message to John through Facebook
3. John should NOT be able send message to Albert through Mail to Facebook inbox.
4.Albert should NOT be able send message to John through Mail to Facebook inbox.
The test cases 1,2,4 returned a Positive result and 3 returned a Negative result(i.e.) John was able to send messages from John@gmail.com to Albert@facebook.com.
So, i reported the bug to Facebook Facebook Whitehat program with the screenshots and details of the bug.
Here are the mail details.
It took around 3 months to process it. There were various discussions and often they told that it is not a bug or a long time fix. And at the mid of December 2013, I received a mail from Facebook about the reward of $1500.
Facebook also thanked me by posting the name at : https://www.facebook.com/whitehat/thanks/.