Student Gets Rewarded For Facebook Bug Bounty Program

Namaste! Good Morning,

A Computer Science Student of Comsats Institute of information technology Islamabad (Pakistan) named Haider 
Mehmood took part in Facebooks Bug Bounty Program and has been rewarded $500 for finding and reporting a HTML Injection Vulnerability.

The details of the bug are as follows :

Vulnerability title:  HTML Injection

Vendor homepage: http://m.facebook.com

Remote/Local: Remote

Tested on: Windows 7 64 bit Firefox browser  (but should have worked on other OS and browsers (not sure about IE))
Vulnerability Submitted on:  12/1/2013
Vulnerability Status: FIXED / PATCHED



 Facebook makes survey to evaluate the mobile user experience as they surf facebook mobile site. Here is the survey  https://m.facebook.com/survey.php .  When entering the mobile phone brands  it provides a list of brands in case you typed an incorrect brand. 


The list of mobile brands provided in the survey were :


The list of phone brands that was provided contained  HTML code inside the parameter...

 https://m.facebook.com/survey.php?incorrect_brand&params=[HTML code of Brands and Radio Buttons]


A remote user was able to add any brand Name and Radio buttons therefor allowing remote HTML injection. It was as simple as it sounds.

PoC Haider Sumbitted to Facebook:



Facebook replied and they acknowledged the issue


Facebook then replied after two months when they patched the vulnerability


They then emailed Haider regarding the eligibility of the bug bounty program and details for the bounty .

0 comments