Indian Security Researcher found new Bug in Facebook

Security researcher Manjesh S. from India found Facebook bug. He has share with HOC about how he found logical bug on Facebook group, Got Reward $2000 By Facebook Bug Bounty Program.


Normally the Group admin of the group you can remove the users, add users, edit/delete posts etc. But the attacker also gets the same admin rights, The problem is you cannot remove the attacker from the group using this bug.

If attacker is just user he can post anything on the group and Admin cannot remove the attacker.

If attacker also has admin rights then he can do whatever he want on the group and admin cannot remove the attacker from the group and also admin cannot remove the admin rights which attacker is having which means the attacker will be having admin rights forever and no one can remove the rights.

This bug was already fixed on Facebook Desktop site, but it was not fixed on Facebook mobile sites.

Impact of this Bug:

• Attacker in a group can see all the posts SECRETELY.
• If Attacker have admin rights, Attacker can EDIT or DELETE ANY posts without knowing to admin.
• If Attacker have admin rights, Attacker can REMOVE users from a group without knowing to admin.
• Even if admin found Attacker, He/She cant remove Attacker from the group or remove admin rights on mobile site and mobile apps..
• Attacker can invite more members, preserve the content in that Group, or shut down the Group if it's no longer needed.

Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter