An interesting voice confusion discovery in Meta bug bounty

Hi, I am Rajiv Gyawali from Butwal, Nepal. Today i am writing about one of my recent finding on meta bug bounty program.

As we all know, meta no longer accepts issues related to voice confusion in classic pages, this issue is related to voice confusion in profile+ page.

Despite finding several issues related to Voice confusion in classic pages, they couldn’t qualify for bounty due to changes in meta’s policy regarding voice issue, Their Whitehat info page still accepts voice issue of certain circumstances but when reporting, your report will be closed as N/A or Informative.

This is what is written in whitehat info page regarding voice confusion issues -

• Missing actor indicator (where the identity under which the admin is acting is unclear) will no longer be awarded a bounty and the report will be deemed informative. There are two exceptions related to this listed below. Both will continue to be considered an issue and will be rewarded:
• Actor indicator conflicts with toast/prompt (e.g. inline selector displays Page profile, while prompt mentions that “You’re now interacting as your profile”) will receive a minimum bounty if the actions taken are deemed reasonable.
• Inline display is present but incorrect (e.g. the display says “Commenting as Page” but instead comments as an admin) equals $1,000 payout.

Even if your finding meets the mentioned criteria you won’t get any reward.

Let’s get back to main topic-

I had one page which was converted to Profile+ page, You can learn about profile+ pages here, they are also known as new page experience.

When i first switched my voice to New page, it was a feeling like using new facebook account, completely just like another facebook account. i had to create a post on that page, i didn’t think much and just created a post and switched back to my main profile.

After few hrs, i went to new page to see the progress of post that i created earlier, as there were very few likes in that post, i liked that post by myself as a page. What i see after liking the post was interesting, The comment voice of that post was changed to my personal profile.

And when i try commenting on that post, comment made from page voice. To confirm the vulnerability, i tested it several times and it was not reproducible in some attempts but reproducible in most of the tries. I reported it to facebook and after several discussion with facebook the bug was accepted.

Reproduction steps involved with bug were interesting for me, which are as follows :

1. Go to Facebook — web
2. Create a post in your profile+page
3. The post can be of any type (i.e text only, photo, photo and text etc)
4. After the post is created like or react on that post.
5. You will see comment voice being changed to your personal profile.
6. If you comment, The page voice will be used, But when commenting, there was a clear indication of your personal facebook profile.

PoC Video - https://www.youtube.com/watch?v=JGOJNqL-kHE

The discussion with facebook security was also dramatic, They took 10 days to triage the issue from the reported date.

Timeline :

Reported — 19th june 2022

Initial response — 20th june 2022 (Asked for PoC)

Sent with PoC — 20th june 2022

Another response — 20th june 2022 (Unable to reproduce)

Sent with additional details — 21th june 2022

Triaged — 24th june 2022

Triaged cancelled — 24th june 2022

Sent with more details — 25th june 2022

Triaged — 29th june 2022

Rewarded — 23rd july 2022

Patched and Confirmed — 25th july 2022

This issue has variety of ways of reproduction, The root cause of this bug was also associated with “Page to page voice confusion” and “Post Voice confusion”, currently all issues related to it are fixed and i am disclosing it under responsible disclosure policy after the approval from facebook security.

If wish to be connected with me, you can find me on linkedin and facebook.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!