How I Was Able to delete any facebook story where am I mentioned or tagged
Hello readers,
After many months I decided to write writeups regarding my first bounty from Facebook worth 1000$, before reading this writeup I would like to give credit to my big brother because without him I couldn’t have found this bug
Let’s start the story
So, It was a beautiful July 20 (which was my birthday) as it was my birthday many of my internet friends tagged me and said “Happy birthday” to me by posting my pic(Thanks btw) and on the same exact day my brother posted a story where he mentioned me and wrote a text of “Happy birthday Sankalpa” and on that day I used Facebook a lot, I spend over 10 hours straight scrolling Facebook and saying thanks to everyone lol. SO, I decided to deactivate my Facebook because I was using that shit for many hours, but at night my brother said where the hell is the story that I posted and tagged you, he said did you deleted the story and I said “No”, but then I remember my school assignments and thought to reactivate my account then my brother said “Wtf, just happened the story is back” he noticed that weird behavior and I thought to investigate on it a bit, then I found that whenever someone tags me and I deactivate my Facebook then the story will be deleted too, So without wasting my time I reported this issue to Facebook after checking it from all my devices,
Here What I Reported
Title
An attacker can delete victims story via Facebook lite if victim mention attacker in his story and attacker deactivate His account
Vuln Type
Privacy / Authorization
Product Area
FBLite
Description/Impact
Hello team, I encounter really a weird behaviour on Facebook, Today is my birthday(hope you will wish me) and my brother posted story regarding my birthday and mentioned me In his story after some hours I decided to delete my account and my brother said that the story has been deleted and I didn’t deleted, after analysis I came to know if victim mention attacker in his story and attacker delete or deactive his account then victim story will automatically get deleted
Impact
Now, an attacker can delete victim story by deactivating his account if victim mentions attacker on his story
Repro Steps
Steps to reproduce
USERS: user A(attacker), user B(victim)
1. From user B account post a story and mention user A
2. From user A account deactive or delete your account
3. From user B account the story gets automatically deleted
I think, the mention should be removed and not whole story and that’s damn weird
At first, they replied me the following
SO, I sent them a POC’s video
here’s the link in case if you want: https://www.youtube.com/watch?v=ddZDN5jbTYc
Then they replied the following(I literally became mad from the excitement as that was my first Facebook bug which got triaged)
Then after some days they replied me the following(I literally cummed when they replied with this)
Then they were taking too much time as I was frequently asking “Any update” and I got bored and they finally replied the following
and the day came where I died because of my excitement
And Liked that I received my first motherfucking bounty worth 1000$ from Facebook, if you learned something(i know, you didn’t but lol who cares) then make sure you hit clapped ;) I hope, you enjoy this shitty writeup if you didn't then I don’t really gives a fuck lmao, bye see you next time
till then “Keep learning, keep fapping and keep progressing” jay Nepal ❤
