Hiding from custom story privacy list is possible in FBlite making the victim unable to remove you from the list.

December 24 | 2 Minutes Read

Description:

Attacker can hide himself in the custom story privacy settings in Facebook Lite app making victim unable to remove him from the list, and the attacker will automatically be on the next custom list of the victim custom story settings.

Impact:

Victim will be unable to remove attacker from the custom story privacy settings allowing attacker to still be on the custom list for new stories that victim uploads. Since victim won’t be able to see that attacker is in that list and will not be able to remove the attacker, after victim uploads a new story and decides to change the custom list, the attacker will still be on the new list without victim’s knowledge.

Reproduction Steps:

1. From User A (victim’s) account, upload a story with a custom privacy settings adding User B(attacker) and User C (random user).
   
2. User B (attacker) will now deactivate his account.
   
3. User A (victim) (in FacebookLite app) will upload another story next time and will think of making changes to the custom list but he won’t be able to find the attacker in that list.
   
4. User B (attacker) will be able to continue to be in the custom story privacy list.
   
   

   Timeline:

Reported:

Sunday, September 27, 2020 at 11:48 AM

Pre-Triaged:

Tuesday, September 29, 2020 at 7:00 AM

Triaged:

Wednesday, September 30, 2020 at 1:34 AM

Fixed:

Friday, November 6, 2020 at 12:32 AM

Improper Fix:

Friday, November 6, 2020 at 12:35 PM

Triaged Again:

Tuesday, November 10, 2020 at 1:13 AM

Bounty Awarded For First Issue. ($500)

Thursday, November 12, 2020 at 9:18 PM

Second Issue Patched:

Monday, December 7, 2020 at 11:59 PM

Bounty Awarded For Second Issue. ($500)

Thursday, December 24, 2020 at 12:40 AM