Account Takeover in Canvas Apps served in Comet due to failure in Cross-Window-Message Origin validation
This bug could allow a malicious actor to takeover Facebook/Meta accounts if the user decided to play a Canvas game.
This bug could allow a malicious actor to takeover Facebook/Meta accounts if the user decided to play a Canvas game.
This bug could allow a malicious actor to takeover Facebook ( and Meta ) accounts after tricking the user to
Continue readingDOM-XSS in Instant Games due to improper verification of supplied URLs
A malicious actor could steal a first-party access token of the Oculus application which he could use to access the
Description This bug could allow a malicious actor to takeover a Facebook account after stealing a Gmail OAuth id_token/code used
Continue readingMultiple bugs chained to takeover Facebook Accounts which uses Gmail.
Summary After publishing the write-ups about the bugs i previously found in Facebook Games Platform ( Canvas ), i thought
Continue readingMore secure Facebook Canvas Part 2: More Account Takeovers
Description These bugs could allow malicious actors who owns Android Applications installed in the victim device alongside Facebook owned Android
Summery Facebook allowed online games owners to host their games/applications in apps.facebook.com for many years now. The idea and technology
Description This bug could allow an attacker to force a user in Oversightboard.com who visited his website, to make certain requests which
Continue readingOversightboard.com site-wide CSRF due to missing checking
Description This bug could have allowed an attacker to target Facebook users in order to potentially leak unconfirmed emails or
Continue readingDisclose unconfirmed email/phone of a Facebook user
Description This bug allows an attacker to manipulate the callback endpoint that would receive the Oculus access token used by