Monday, 26 May 2014

Facebook "Skype-to-Email" leak [$3,000 Bounty]

Facebook Bug Bounty



 In the middle of January of 2014, I submitted a bug to Facebook through its bug bounty program.

The bug was effectively a Skype account email disclosure. You would find somebodies Skype name, add them on Skype(they didn't have to accept you), and then login to Facebook with your Skype.

Here's a look at how it worked exactly:

In Facebook's "Find Friends" feature, you can login to your Yahoo,Outlook,Skype, and other accounts to add people into your contacts list on facebook(and then in turn add them, I guess).

The feature in question

By logging into your skype account on the feature, and pressing "Find Friends", you were submitted to the next page.

The prompt "Would you like to send friend invites to all of your imported contacts?" came up, which you would either submit no, or yes.(No was obviously suggested)

Then it would show the names, and skype names of the imported people, asking if you want to "Send Invites", or "Skip". Skip was also suggested.

We'd then be redirected back to the original "Find Friends" page.

 Then, loading the page , in the sub-section "Contacts Imported (not yet invited)"...


(Note: It actually displayed full emails, not just partial)

So I instantly emailed Facebook with the information.

After a back-and-forth about the bug, I was told to wait awhile for it to be fixed.

And then finally, I receive this email..

And, was I surprised.
I didn't consider this a massive bug and expected to get the minimum reward of $500.

Well, I guess that's it.