Add comment on a private Oculus Developer support


Oculus Developer support is the dedicated hub for developers and creators seeking to explore the limitless possibilities of virtual reality (VR) on the Oculus platform for more details see

The finding

Having previously tested Oculus a few months ago without uncovering any bugs, I revisited the platform on September 17th for a fresh examination. During my exploration of the Oculus Developer domain, I stumbled upon an intriguing option labeled ‘Report a Bug.’ While this feature allows users to submit general bugs to the Oculus support team, I identified a potential security vulnerability. This flaw could have enabled unauthorized users to comment on private Oculus Developer bug reports by exploiting the knowledge of the victim’s comment ID

Reproduction Steps

Step 1: I initiated the process by creating a public bug and adding a comment. Following that, I replied to my own comment and intercepted the request using Burp Suite to scrutinize the parameters involved. The request structure looked as follows:

POST /graphql?locale=user HTTP/1.1


Step 2: In the analysis of the request, two parameters stood out:

  1. comment_parent_id: Refers to my bug ID (accessible from the URL link:
  2. external_post_id: Refers to the ID of the comment (my comment) that I replied to.

Given these insights, two plans came to my mind:

Plan A: Initially, I attempted to add comments to other users’ private bugs by replacing my bug ID with theirs. Unfortunately, this approach did not yield the desired results.

Plan B: Shifting focus, I aimed to add comments on other users’ private bugs by altering the external_post_id value to the comment ID of their private bug. Through testing with two separate accounts, this plan proved successful, bypassing their security measures since they were only verifying based on the bug ID and not the external_post_id (comment ID). Remarkably, I knew that plan B will work when I was in the plan A stage, don’t ask my how !!, I just felt it.

Bug Limitation

This bug, while impactful, had a singular limitation: how could an attacker obtain other users’ comments IDs from their private bugs? Given that private bugs are only accessible to the bug owner and the support team, this presented a challenge. It’s indeed a formidable question, as discovering such information is inherently difficult, if not seemingly impossible.

However, even in the realm of heightened security measures, one must acknowledge the potential for inventive tactics. Imagine a scenario where an attacker somehow manages to uncover other users’ comments IDs or crafts a list of random comment IDs, initiating a methodical yet random attack. The possibilities are wide-ranging, reminding us that in the dynamic landscape of cybersecurity, everything is within the realm of plausibility.

Addressing and rectifying vulnerabilities of this nature is imperative. While the immediate exploit might seem complex, the broader perspective emphasizes the need for proactive solutions and continual vigilance in safeguarding user data and system integrity.


Sarmad | 17 Sep 2018

Initial Report

Meta Bug Bounty | 19 Sep 2018

Report Triaged

Meta Bug Bounty | 05 Oct 2018

Bug Fixed

Sarmad | 05 Oct 2018

Fix Confirmed

Meta Bug Bounty | 10 Oct 2018

Bounty Awarded