Hi guys, I’m Shubham Bhamare again. In this write-up, I’m going to tell you how I found a simple FB Lite bug that restricted FB Lite app users from deleting comments under certain circumstances. This was an easy finding because it was found just by observation. (Just like my previous finding of 5000 USD, where I was able to add any unowned phone number to my Facebook account.)
So without wasting time, let’s start! 👉
===
Description:
FYI, let me clarify that when I reported this issue, Facebook (now Meta) used to consider those bugs too where users were unable to perform certain actions through the FB Lite app but were able to perform through other platforms like Facebook Web, Facebook for Android/iOS, etc. This is because users with low bandwidth and storage were unable to use the other platforms mentioned above.
I don’t know if Facebook still accepts these types of bugs as I’m not hunting for bugs nowadays. Please confirm in the comments section if you have recently got a bounty for the same bug.
===
The story:
Chapter 1: I still remember when I reported this issue, it was the 1st day of August and a rainy afternoon. I was lying on the bed after lunch and scrolling through my old Facebook posts using the FB Lite app. Suddenly, I came across an old post of mine on which I had commented twice with the same word. So I tried to delete that comment but the app threw an error saying “We can’t process this request at the moment. Please try a bit later!”
I tried to delete my other comments but they too didn’t get deleted. After that, I tried to delete other people’s comments on my old posts but it threw the same error. I thought it was because I haven't updated the FB Lite app so I quickly updated it and tried to delete those comments again. But still, I wasn’t able to delete them.
It was a eureka moment for me as it was something unintended. I quickly recorded a video PoC demonstrating this bug and reported it to Facebook.
Chapter 2: On the same day, Facebook replied and requested additional information such as Post ID, FB Lite version, Device information, etc. as they were unable to reproduce this issue.
So I created a test post to send its ID to the team and commented on it and tried to delete that comment. But this time comment got deleted successfully. I felt sad assuming that my reported bug is nothing but a false positive. Now I tried to delete old comments and this time it threw the same error.
It was weird. I tested it further and found that only old comments that were made in the year 2013 or prior were affected by this issue. Added this additional information to the report and after some follow-ups, the team was able to reproduce this issue.
===
Timeline:
Aug 01, 2019: Report sent
Aug 01, 2019: Additional information requested by Facebook
Aug 02, 2019 — Aug 16, 2019: Follow-ups
Aug 23, 2019: Triaged
Oct 25, 2019: 500 USD bounty awarded
Feb 07, 2020: Fixed completely
===
Takeaway(s):
===
Thank you for reading! Stay tuned for my next write-up, and don’t forget to follow me on Facebook, Twitter, LinkedIn, and Instagram. 😊
===