This Bug is almost similar to my Previous finding.But with different reproduction method.
When my Previous Bug was fixed by Facebook asked me to confirm . so i done all the steps as it is. and in Getting back to Facebook the code parameter was removed.
so i confirmed them the bug has been fixed and got the bounty. after a week i normally checked my testing email i spotted the another automatic mail from Facebook that to Reminder: Confirm your Facebook account for which i created to check the fix for my previous bug.
When i checked the link 5digit OTP code was same as i received in alternative email address. then i started to find the core of the issue. and finally found it.
- Create a new account with “attacker email” that you can access (ex:email@example.com)
2. Go to setting and change the email to “victim email” that you can not access (ex: firstname.lastname@example.org)
That’s it. after 3rd day of the account was created. the Reminder mail will receive from Facebook to Confirm the account. but the 5digit OTP code in the mail is victim confirmation code.
Because of the three-day wait associated with this vulnerability, there is enough time for a user to potentially notice the original email confirmation in their inbox and disavow before the email is confirmed.
3-August-2016 : Report Sent
26-August-2016 : Facebook response that not able to reproduce the issue
7-September-2016 : Further investigation Facebook
21-September-2016 : Fix Confirmation and $3000 bounty awarded by Facebook