Baibhav Anand Jha


$~# whoami
Baibhav Anand Jha
I do bug-bounties
I develop
I learn
I hack
He/Him

 

      

Hiding ourself in close friend’s list and avoiding victim to remove us from his close friend’s list.

April 23 | 2 Minutes Read



Description:

There is a feature in Facebook called close friend’s list which you can find here: https://www.facebook.com/bookmarks/lists this allows you to add someone as a close friend. Exploiting this will allow someone to hide oneself in the close friend’s list and not allow victim to remove them from the close friend’s list.

Setup

Users: UserOne (Attacker) UserTwo (Victim)

Environment:

UserOne is in the close friend’s list of UserTwo.

Steps Of Reproduction:

  1. UserOne (Attacker) is in the close friend list of UserTwo (Victim).
  2. UserOne deactivates his account.
  3. UserTwo will no longer be able to see UserOne in his close friend’s list.
  4. UserOne reactivated his account and he will still be in the close friend’s list of UserTwo.

Timeline:

Reported
Friday, March 13, 2020 at 5:23 PM
Triaged
Monday, April 13, 2020 at 2:45 PM
Fixed
Tuesday, April 14, 2020 at 9:03 AM
Bounty Awarded ($500)
Thursday, April 23, 2020 at 4:20 PM