Facebook Checkpoint Flaw
NOTE : THIS IS BEING PUBLISHED WITH THE PERMISSION OF FACEBOOK UNDER THE RESPONSIBLE DISCLOSURE POLICY. THE BUG IS FIXED NOW.
USER DATA WAS NOT DELETED AS EXPECTED :
Let's say somehow a malicious actor got an access to your account using
phising or social engineering and posted, reacted, commented and
performed so on activities on behalf of you.
ABOUT THE FEATURE :
Facebook provides checkpoint feature "Let's Secure Your Account" in which user is asked to go through few checkpoints in order to secure his/her account. User can access to this feature at www.facebook.com/hacked (if already logged in).
ABOUT THE BUG :While going through the checkpoints, one checkpoint comes to check any recent activity to delete which user don't want on Facebook. So even after confirming particular activities to get deleted by user it was still present on Facebook (obviously user was unaware of it that activity is not deleted).
PROOF OF CONCEPT :
10 June 2017 : Initial Report Sent to Facebook
21 June 2017 : Escalation By Facebook
11 July 2017 : Facebook Deployed A Complete Fix on Issue
13 July 2017 : Bounty of $500 Rewarded By Facebook