# Facebook Groups Bug Bounty – 2018 This is my second bug bounty - a bug that I discovered while messing around on a Facebook group. It was my freshman year at ASU, and I was administering this Facebook called "The Great Indian Dream, Class of '23" – a group dedicated to Indian high school students seeking admissions in foreign universities. **Background** Facebook has a policy that you can change a group's name only **once** every 28 days if your group is big. This is to prevent abuse and maintain consistency. While joking about this on a post on that group, the conversation quickly turned to bug hunting and eventually triggering this. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710233059335/26f240b2-8c2c-4f58-93fe-df7dcab488f0.png align="center") My initial instinct to test this actually came from the outdated UI they had, which sort of indicated this thing hadn't been touched in a while. Immediately I headed to Charles Proxy to capture and modify the request this was sending upon changing the name. I copied the curl command of the request, and kept replaying it again with different group names. ```bash curl 'https://www.facebook.com/groups//edit/' \ --data-binary 'jazoest=fb_dtsg=AQGfx9WwthQl&__a=1&group_purpose=social_learning_landing_tab&group_currency=USD&description=&topics=&name=testgroup0&group_members=&admin_post_approval=1&stories_post_permissions=1&nctr[_mod]=pagelet_group_edit&__user=' \ --compressed ``` And to my surprise, **the group name changed!** A bunch of people on that group saw that happen which sparked quite a lot of laughter and a little bit of shock. To be fair, this bug isn't big - it's not an account takeover. However, this gets even more interesting.... I tried sending `
` as part of the `name` parameter. Yes, actual HTML tags as the name. And to my surprise, it seemed to not have parsed the HTML quotes but rather break something on the backend! So much so, that once you name a group `
` without sanitization (that the frontend does), you can make a facebook group **INACCESSIBLE and UNFIXABLE - even through the exploit!** ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710233874763/1f689e0a-eb1e-48f0-b60e-acf81c42779e.png align="center") Again, always sanitize everything on the backend – DO NOT trust your requests! Anyway, I reported all of this to Facebook Security, and was awarded $500! ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710234013393/2bb4f989-f8e5-4e16-ab12-d3f2f8891e1f.png align="center") Timeline: | Initial Report | Sun, Nov 25, 2018, 10:30 AM | | --- | --- | | **Request for more info** | **Wed, Nov 28, 2018, 11:19 AM** | | **Request for more Info** | Mon, Dec 3, 2018, 11:03 AM | | **Escalated to team for further investigation** | **Thu, Dec 13, 2018, 8:23 AM** | | **Vulnerability Patched Notification** | **Wed, Jan 2, 2019, 12:48 PM** | | **Bounty Awarded** | **Thu, Jan 3, 2019, 4:28 AM** | | **Featured on Facebook Hall of Fame 2018** | **Fri, Jan 4, 2019, 10:50 AM** |