Mohammad Atwi
Last Update: 24 Jul 2020 . 15:52 PM
in
Write ups
.
General in Facebook
Hello everyone!
As you know many beginners ask many questions about Facebook bug bounty program. So, I want to add these questions as a future reference. I get the content of this post from @phwd.
It's better to be patient, there isn't an average response time that is known. A response from a report can range from 5 mins after reporting to 1 year. It depends on factors, including severity, priority, trade-off, ease of fix and many other factors. A small rule of thumb would be anything critical, you can expect a response within the day. However in general just wait. As long as it's in the queue you will get a response eventually.
An unfortunate side effect of many users arriving at the same bug. Congratulations you found it, you were not a quick as the first reporter but you did find it and that counts. At the current time, do not ask for the original report/reporter if you do see the original reported published be appreciative. Facebook will not disclose this or the original timeline for you. You can also get a duplicate from an internal audit, this is also unfortunate however you'll just have to be faster next time.
This was described well by a Facebook employee so I'm going to just add it here "We reward situations involving rate limiting only when there is a privacy or security risk posed by the behavior. That could mean the system isn’t hooked up to our general spam and abuse prevention systems" "It depends on what you’re testing! If this is to brute force and the search space is 200, absolutely. If the search space is 2^64, you should rethink the feasibility of brute-forcing." "A 6 digit numeric code? You should be able to demonstrate the ability to brute-force the actual code in a reasonable amount of time (ie: prior to it expiring). If the code is valid for a week, then 11 codes/second will just about get you the value. If it's valid for a month, the rate goes up. I would focus on that more than on absolute numbers.
Open redirects. Any redirect using Facebook's "linkshim" system is not an open redirect. Try using "evilzone dot org" as the destination url to verify your find. There are blocked links to try here https://www.facebook.com/groups/bugbountygroup/permalink/363878017342366/. You can read more about Facebook's linkshim here https://www.facebook.com/notes/facebook-security/link-shim-protecting-the-people-who-use-facebook-from-malicious-urls/10150492832835766
For unsupported apps and devices, you would require to root/jailbreak your test device.
For an Android application that is not supported as long as it uses the libcoldstart. You can follow this video:
For iOS you can follow this video:
https://www.facebook.com/113702895386410/videos/540117313580774/
There are also some old tools/methods however I cannot guarantee they work now:
https://github.com/tsarpaul/FBUnpinner
https://github.com/phwd/OneForAllFacebook
https://www.facebook.com/groups/bugbountygroup/permalink/416218442108323/