R D

Published On: 20 Jul 2020

$500

Not able to delete the generated app password

Other
Facebook | Web
---
LOW VALID
Description

Facebook app password cannot be deleted. Under the Facebook settings->security and login -> per app password can be generated and there is a remove option which is broken right now.

Impact

If the account of the user has been compromised or lost his device and see an app password in his or her account. The user can't delete or remove the generated app password.




Reproduction Steps

Step
1

Login to your facebook account using desktop/web.

Step
2

Go to settings-> Security and Login -> App Password

Step
3

Try to remove a selected app. The user cant delete the selected app

Timeline
.
R 12 May 2020

Initial Report

.
Facebook 15 May 2020

Pre-Triaged Hi, Thank you for your submission. We've managed to reproduce your report and will get back to you once we have a chance to investigate. Than ... See More

.
R 16 May 2020

Triaged Hi, Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep yo ... See More

.
Facebook 18 May 2020

Closed as Informative We have looked into the issue and decided not to pay since it doesn't meet the security bar. If someone's account is compromised, it can directly ... See More

.
Facebook 16 Jul 2020

Re-opened by Facebook Fixed. We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Facebook 16 Jul 2020

Bounty Awarded

VALID






Show All Images