Whenever we develop a application, we do lot of tests. Even though, it is prone to bugs. When it comes to applications like Facebook, a bug can cause lot of damage to them.
This blog is about the a security vulnerability which i found on Facebook. I’ve already disclosed it to Facebook and I received a $1500 reward for my work.
Normally in Facebook, when a user is blocked, both the blocker and the blockee cannot exchange messages.
There is an alternate method to send messages, that is through Email (Update: The feature is currently removed from Facebook).
For Example:
Consider John and Albert are two users.
John has used [email protected] to create a account on facebook and Albert has used [email protected] to create account on facebook.
Now John can send message to Albert’s Facebook Inbox by sending mail to [email protected] through his registered Email and vice-versa.
If John blocks Albert, then John cannot send message to Albert Facebook through Facebook. It should block John’s Email to Albert if he sends [email protected], because john has used this email id to create an account in facebook, and this information is available with facebook.
So i’ve to check 4 test cases.
1. John should NOT be able send message to Albert through Facebook
2.Albert should NOT be able send message to John through Facebook
3. John should NOT be able send message to Albert through Mail to Facebook inbox.
4.Albert should NOT be able send message to John through Mail to Facebook inbox.
The test cases 1,2,4 returned a Positive result and 3 returned a Negative result(i.e.) John was able to send messages from [email protected] to [email protected].
So, i reported the bug to Facebook Facebook Whitehat program with the screenshots and details of the bug.
Here are the mail details.
It took around 3 months to process it. There were various discussions and often they told that it is not a bug or a long time fix. And at the mid of December 2013, I received a mail from Facebook about the reward of $1500.
Facebook also thanked me by posting the name at : https://www.facebook.com/whitehat/thanks/.
