In this week’s blog, I am writing about how I was able to bypass the eligibility criteria for the Brand Collabs Manager and register my page without meeting the criteria and policy. I wasn’t awarded any bounty for this as Facebook’s production team deemed it unqualified for monetary reward.
If you are not familiar with what Brand Collabs Manager is on Facebook, it is the monetization of Facebook videos where brands can reach to their creators for branded content partnerships.
To be eligible to register in brand collabs one needs to meet the following conditions-
- Your Facebook page must have a minimum of 1,000 followers.
- In 60 days, your posts must have reached 15000 engagement.
- In 60 days, your videos must have 180,000 minutes views.
- In the last 60 days, your page must have 30,000 views along with a minimum of one minute watch time for videos over 3 minutes long.
Let me take you through what I found –
When I went to the Brand Collabs Manager application form, I saw that I am was not eligible to apply for the brand collabs manager as Nassec.io as my page didn’t meet the above-mentioned criteria.
However, I tried registering Nassec.io in the brand collabs manager by changing the response status from ineligible to eligible as shown below.
This was the response of the request to collect information about all the pages. Here, I changed “eligibilityBucket”:” ineligible” to “eligibilityBucket”:” eligible” and I saw that it was eligible for registering in brand collabs manager.
Once I changed the status to “eligible”, I was granted access to sign-up form for the brand collabs manager. I filled the sign-up form and got a successful message as shown below.
It went for manual verification with the Facebook team and for a moment, I thought my request will be rejected.
However, after waiting for a few minutes I got an mail from Brand Collabs Manager saying that my application was approved.
I sent a report to the Facebook team including a Proof of Concept (POC). Facebook’s security team triaged the report and got back to me a day later with the following message.
Reported — October 23, 2019
Reproduced — October 28, 2019
Triaged — October 29, 2019
Rejected — November 13, 2019
Though I was not awarded any bounty for this find, it did help me enhance my bounty skills. Bug Bounty is not always about finding bugs and earning money. So don’t get disappointed even if you are not awarded bounty at times and keep continuing bug bounty.
This blog was originally published on NASSec Publication.