Hiding from a custom list is possible on who sees our post is possible making victim not remove them from the list.

December 11 | 2 Minutes Read

Description:

Attacker can hide in the specific friends list so that victim can’t see him while updating the list in the next post and attacker will be able to see the next post as well since victim couldn’t see him/her resulting in him/her not being removed while updating the specific people list while posting next post.

Steps of Reproduction:

1. When posting we see specific friends in the privacy settings.
   
2. User A adds User B along with many other users in this setting for a post.
   
3. User B (attacker deactivates his account).
   
4. User A won’t be able to remove user B (attacker) now while updating the specific friends list for a new post.
   
   

   Timeline:

Reported

Sunday, September 6, 2020 at 12:23 AM

Pre-Triaged

Tuesday, September 15, 2020 at 4:07 AM

Triaged

Tuesday, September 15, 2020 at 7:33 AM

Bounty Awarded ($500)

Thursday, November 12, 2020 at 9:36 PM

Fixed

Friday, December 11, 2020 at 10:25 AM