Facebook launched a new portal for the Facebook Hackercup competition https://www.facebook.com/codingcompetitions/. At a user’s profile https://www.facebook.com/codingcompetitions/profile there seems to show the indication at “Private Contact Info” that any information (other than name, contests, submissions) will be private. However, the field for viewing whether the user allows recruitment contact is public to all.

The impact is minor as it’s just a boolean field however Facebook isn’t keeping the privacy information here consistent by allowing this. Since a Hackercup participant links back to the Facebook user object, this can be used to pull all entrants per each competition all the back way back to 2011 and see the breakdown for who allows a recruiter to contact them.

A participant object looks like the following,

{"data":{"node":{"__typename":"CodingContestIndividualEntrant","entrant_personal_info":{"recruitment_preference":"ALLOW_RECRUITMENT_CONTACT","individual_entrant_user":{"id":"13608786"}}}},"extensions":{"is_final":true}}

If the user changes his preference at https://www.facebook.com/codingcompetitions/profile, DISALLOW_RECRUITMENT_CONTACT will be shown instead.

Impact (A verbatim explanation of the bounty by Facebook):

A Hackercup participant request to be contacted by FB recruiters is accessible publicly

Timeline

Jul 9, 2020 – Report sent
Jul 14, 2020 – Confirmation of submission by Facebook
Jul 15, 2020 – Further investigation of submission by Facebook
Jul 27, 2020 – Confirmation of patch by Facebook
Aug 13, 2020 – Bounty awarded by Facebook