A minor bug that enables anyone to manipulate the life events of any user has been just reported by the independent bug hunter Sachin Thakuri. Even though it’s not of technical or security nature, the bug can be blamed for some distress. It could be employed by bad actors and could cause moral damage at the very least.
Facebook refused to fix the bug
Here’s the original post written by the researcher himself: https://www.secinfinity.net/facebook-bug-that-made-mark-zuckerburg-quit-his-job-at-facebook/. Interestingly enough, the researcher claims that he has contacted Facebook, but they decided not to fix it. Even though it’s not malicious, it could still be quite damaging to Facebook users, and it’s weird the company has chosen to leave it hanging like that.
Here’s how Sachin discovered the bug
For research purposes, he used the original URL of Mark Zuckerberg’s life event:
https://www.facebook.com/zuck/timeline/story?ut=32&wstart=-2051193600&wend=2147483647&hash=971179541251&pagefilter=3&ustart=1&__mref=message_bubble
Then, he removed the ‘ustart=1 parameter’:
https://www.facebook.com/zuck/timeline/story?ut=32&wstart=-2051193600&wend=2147483647&hash=971179541251&pagefilter=3&&__mref=message_bubble
Clicking on the above manipulated URL will show the same life event page of Mark Zuckerberg, but with a ‘slight’ difference in the text:
Left Job at Facebook instead displaying Started Working at Facebook.
If you have doubts that this bug is real, check it out for yourself:
https://www.facebook.com/zuck/timeline/story?ut=32&wstart=-2051193600&wend=2147483647&hash=971179541251&pagefilter=3&__mref=message_bubble
We’ll see how long it will take for scammers to find the bug themselves and exploit it for whatever reasons they may have.
More Facebook Scams to Keep Away from:
Facebook Dislike Button Scam
Facebook Change Color Virus