Hi All,

This is a simple logical issue which I found in Facebook fundraiser feature. The blocking feature in Facebook leads to a lot of logical problems. This is one of them.

We can create fundraisers for nonprofits and personal causes on Facebook. We can add our friends as organizers in the fundraisers we created. They need to approve our invitation to become an organizer. Once they approved the invitation an attacker was able to block the victim and thus victim was unable access the fundraiser and remove themself as an organizer from the fundraiser. An attacker could use this for their personal benefits.

Steps:

1)Attacker creates a fundraiser and invites victim as an organizer

2) Once victim accepts the invitation, attacker blocks the victim..

3) Victim is now unable to access the fundraiser but others can still see the victim as an organizer of the fundraiser

Facebook rewarded me 500 USD for this finding.

Timeline:

April 23, 2020: Reported
May 06, 2020: Triaged
May 26, 2020: Fixed
May 28, 2020: Bounty awarded