Manish Bhattacharya, a student cum tech enthusiast pursuing his third year engineering has discovered couple of security vulnerability on Facebook. After the inspiration from hackers who reported vulnerability on Facebook, there have become a craze among the computer geeks for analysing various site and reporting bugs to that particular website. Recently, Khalil Shreateh and Ehraz discovered certain serious bugs where they didn't receive bounty due to various legal issues levied by the Facebook Team. This time, Manish from India reported two serious vulnerability that existed on Facebook. The two serious vulnerability on Facebook was confirmed by the Facebook team and has received $5000 as Facebook bounty.
Manish already showed a keen interest in finding vulnerabilities on various sites. The sad part of his story of finding bugs was, he didn't receive any bounty for his research.
While he was continuing his research without giving up, he found a vulnerability on a site called Asana, a mobile application website. He successfully reported a clickjacking vulnerability on Asana to the site team. On the first attempt, the site refused to accept it as a bug but later when he added the proof of concept with his report, his research was confirmed and the site Asana awarded Manish a $100 as bounty.
Manish then started his research on the world's largest social networking site, Facebook. He was successful in finding the first bug which made him to send messages to any Facebook profile. The bug was said to exists in message composer page of Facebook mobile site.
The second bug which Manish discovered was, getting likes and comments on any notes by clickjacking method. With few user interactions, Manish was able to get likes and comments from the people he shared the notes without their consent. The tech enthusiast says that he was inspired to analyse this second issue by remembering the issue he discovered on the site Asana.
When Manish reported these two vulnerabilities to Facebook, the team recognized it as a valid report and emailed him about the bounty information on the second email.
Manish is from a middle class family. When we addressed him, Manish said that he was very much happy to receive this bounty from Facebook. Also, he said,
I am a student of B.Tech (Computer Science, 3rd Year) and pursuing my engineering with the help of bank loan. The bounty which I've received from Facebook will sum up my father's 3 years total income. I am very much happy and proud of my parents who worked hard for making me to learn stuffs.
Manish made a blog post regarding his research journey soon after he received the bounty from Facebook. When Khalil Shreateh's issue became viral and many people started opposing Facebook, we thought the company did not encourage white hat hackers any more but from Manish's case, we could judge that Facebook is strongly affirmed to the policies and laws.
What's your thought on this? Facebook is still not secure and you just thought, your privacy was safe. People like Manish and other security researchers who are in the wall of fame was one of the protector who made you safer on the web.