Pakistani Security Researcher gets 500$ Reward for Facebook Bug Bounty Program

A Pakistani Security Researcher, Former Black Hat - Haider Mehmood Qureshi, gets 500$ reward from Facebook under Facebook Bug Bounty Program for reporting HTML Injection flaw on Facebook mobile site.

Below are the details of Bug provide by the Researcher to The Hackers Post.

[#] - Vulnerability Title:
                           HTML Injection

[#] - Vendor homepage: 
                          http://m.facebook.com

[#] - Remote/Local: 
                         Remote

[#] - Tested on: 
                        Windows 7 64 bit Firefox browser  (but should have worked on other OS and browsers                      (not sure about IE))

[#] - Vulnerability Submitted:  
                        12/1/2013

[#] - Vulnerability Status: 
                         FIXED

[#] - Vulnerable  Parameter: 
                        https://m.facebook.com/survey.php?incorrect_brand&params=

Facebook mobile provides a survey to evaluate the mobile user experience as they surf facebook mobile site. Here is the survery  link: https://m.facebook.com/survey.php .

While entering the mobile phone brands , it provides a list of brands in case you didn’t type the correct brand.

The list that was provided contained their HTML code inside the parameter

https://m.facebook.com/survey.php?incorrect_brand&params=[HTML code of Brands and Radio Buttons]

Remote User can add any brand Name and Radio buttons, hence allowing Remote HTML injection. It was as simple as it sounds. This could also result in adding junk entries into to database hence causing spam, because remote user can add entries and submit.

Below is the screenshot of a  portion of exact POC Researcher submitted to Facebook:

Below my the first reply from Facebook and they acknowledged the issue

below is their reply after 2 months when they fixed the issue


below is their email regarding my eligibility of bug bounty and details.

There is increase rise in black hats changing their dimensions towards bug reporting rather than exploiting them. Yesterday, we reported the youngest security researcher found XSS flaw on Amazon Site.

About Security Researcher Haider:
Haider Mehmood Qureshi is a BS Computer Sciences Student from Comsats Intitute of information technology Islamabad, He do freelancing as Penetration Tester, Started learning pentesting/hacking in 2009. Initially, he was into defacing websites just for fun, later realized to make Pentesting/Security auditing as my career. You can contact security researcher here.

email