Find Birth Year of Your Friends in Facebook

This is one of my finding in Facebook which i want to share with you all.

While searching for bugs on Facebook, i came to know that you cant post anything beyond your birth date. ie if your birth date is 01/01/1970, you cant publish a post on 31/12/1969. So i started playing with this.

suddenly i realised ,if i cant post anything beyond my birth date, that means even my friends wont be able to post beyond their birth date as well. So i created one post and tagged my friend and set date to something around 1970(example) and published a post. I checked my friends timeline and no year appeared on the right side of the timeline( you see year queries on timeline on right side). so i again edited the same post and changed the year to 1971. again it did not appear on timeline. I did this several times (decrementing the year one by one ) and suddenly the year appeared on timeline.

After testing for a while, I realised, the year which is printed on timeline is 1 year less than birth year of my friend. i.e if your friend birth year is 1989,  you will see 1990 year printed on timeline. you wont see 1989.

This should work for friends who are younger than you as you cant post beyond your own birth date. if you want to find out the birth year of elder friends, you can just adjust your birth year for time being to something greater.

Reported this to Facebook but unfortunately i got the following response

facebook bounty1


Facebook Simple Technical Bug worth 7500$

I don’t like writing much but since i have won some bounty from Facebook, i decided to write one.

My main intention was to get into Facebook whitehat list!

There are lot of security researchers around the world who are hunting for bugs ,so there was no point in hunting for bugs like XSS, CSRF etc but i kept reading different bug reports (Thanks to @phwd for his notes) and tried to learn different hacking methods.i reported few bugs in-between but they were rejected as some of them were low severity or duplicates(almost 2 of them and still they are not fixed).

Then i found some articles where Facebook paid bounty for some logical bugs or information disclosure bugs.So i started hunting for such bugs.

while testing i came across friendship page where i can replace both the ids and see anyone’s friendship but obviously page was displayed irrespective of whether they are friend or not!

so i had to find first if 2 people are friends or not.

I initially tested this on mobile site and later realized it works on desktop site as well.

but what was the bug here??

if you carefully see, there are year queries returned on the right side of the timeline.

now consider this example

your friend has applied privacy settings to his friend list . since you are his friend,you can see his timeline and read his few posts. you can easily recognize some of his friends. now you can easily guess that both of them are friends even if they both applied privacy settings to their friendlist.

so if you put their ids in, you will able to see the friendship page but what interesting is year wise queries returned on the right side of the timeline. normally you will see year wise post but even if there are no posts, still the year queries are returned. so i found this vulnerable!

i tested against few ids and found that, they are actually returned from start of their friendship! example

if year queries returned are





so even if there are no posts between them in 2012, year would still appear there because they became friends in 2012!

Reported this to Facebook saying its a privacy issue which allows me to see their year of friendship but got rejected reply

2015-09-24 11_31_05-Support Inbox

I replied them back saying its not about friendlist privacy but knowing about friendship year.after few days , i opened my Facebook and had 2 replies from Facebook

2015-09-24 11_31_19-Support Inbox

and after few hours

2015-09-24 11_31_24-Support Inbox

at this point, i was little optimistic because i knew, they must have found something as they replied back again and i was waiting for their reply!

believe me , if they had not replied again, i too would have not replied them back either.but luckily they did and results are below!

after almost 10 days, when i opened my Facebook, i had this reply 🙂

2015-09-24 11_31_31-Support Inbox

Yes 7500$ bounty from Facebook!

This is very high amount for such kind of bug but i think they paid so much because of the logic and this was there since many years?

anyways huge thanks to Facebook team for the bounty!


July 28 2015- bug submitted

July 30 2015- got rejected reply from Facebook

July 31 2015- sent more clarification by me

Aug 14 2015 – again rejected by Facebook

Aug 14 2015- Facebook replied again saying they are investigating further

Aug 25 2015- Awarded by Facebook with 7500$ bounty