Randy Arios
2 min readMar 4, 2021

Low hanging fruits on Facebook Group Room. Unable to remove post on group when post room add with event ($500)

Hello reader,

My name is Randy Arios and this is the story about my finding on facebook.com, this is also my 1st write-up after a long time not publishing my advisories and Bug Bounty finding.

OK, without wasting time lets we talk to the point. This finding is about low hanging fruit in facebook.com group room, when you join a group, there is 1 new menu (not really new actually) called room. A new way to spend time with friends, family and fellow group members.

i found that when we create/post room to group, and add event on that post. after the room ended the event we add before is not deleted with the room post and become an single post by it self and it can not be deleted.

step to reproduce:
1. create room and add event on that and post to the group.
2. ended the room, and you will see the room ended but the event will become post.
3. delete the post event, you will get error and can not delete that “event” post

after 3 weeks, i got reply from the Facebook security team that the issue has been fixed and i got $500 bounty.

Time Line:

  1. 3 February 2021 : Report send
  2. 6 February 2021: Triaged
  3. 26 February 2021: Bounty Paid (even though the fix is still pending)
  4. 3 March 2021: Issue Fully resolved and confirmed.

I am sorry if my English is not good, and also sorry if the write-up very simple, i am kind of lazy guys hahaha..

Thanks for reading.

#facebook #bugbounty #writeup

Randy Arios
Randy Arios

Written by Randy Arios

I am simple man who love to hunt bug and get bounty, in my spare time.

No responses yet