Facebook Checkpoint Flaw

NOTE : THIS IS BEING PUBLISHED WITH THE PERMISSION OF FACEBOOK UNDER THE RESPONSIBLE DISCLOSURE POLICY. THE BUG IS FIXED NOW.



USER DATA WAS NOT DELETED AS EXPECTED :



ABOUT THE FEATURE :

Let's say somehow a malicious actor got an access to your account using phising or social engineering and posted, reacted, commented and performed so on activities on behalf of you.
Facebook provides checkpoint feature "Let's Secure Your Account" in which user is asked to go through few checkpoints in order to secure his/her account. User can access to this feature at www.facebook.com/hacked (if already logged in).


ABOUT THE BUG :

While going through the checkpoints, one checkpoint comes to check any recent activity to delete which user don't want on Facebook. So even after confirming particular activities to get deleted by user it was still present on Facebook (obviously user was unaware of it that activity is not deleted).

PROOF OF CONCEPT :



TIMELINE :

10 June 2017 : Initial Report Sent to Facebook

21 June 2017 : Escalation By Facebook

11 July 2017 : Facebook Deployed A Complete Fix on Issue

13 July 2017 : Bounty of $500 Rewarded By Facebook