Uncategorized – Page 4 – Youssef Sammouda

URLs in img tag aren’t passed through safe_image.php which lead to exposure of Facebook users IPs.

February 15, 2021February 15, 2021 qw

Description This could allow an attacker to embed an external website in an “img” tag. Normally Facebook doesn’t allow the

Continue readingURLs in img tag aren’t passed through safe_image.php which lead to exposure of Facebook users IPs.

Uncategorized

View orders and financial reports lists for any page shop

February 15, 2021February 15, 2021 qw

Description This bug could allow an attacker with no role in a page to extract the list of financial and

Continue readingView orders and financial reports lists for any page shop

Uncategorized

Expose the email address of Workplace users

January 3, 2021January 3, 2021 qw

This bug could allow a malicious user to expose the email address of any workplace user only by knowing his

Continue readingExpose the email address of Workplace users

Uncategorized

XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers

January 1, 2021January 1, 2021 qw

This bug could allow an attacker to steal a first party Oculus access token which would allow him to access

Continue readingXSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers

Uncategorized

Bad regex used in Facebook Javascript SDK leads to account takeovers in websites that included it

December 31, 2020January 1, 2021 qw

This bug could allow an attacker to target websites that included Facebook Javascript SDK. The attacker would trick a certain

Continue readingBad regex used in Facebook Javascript SDK leads to account takeovers in websites that included it

Uncategorized

Facebook DOM Based XSS using postMessage

November 7, 2020November 7, 2020 qw

The first bug could have allowed a malicious user to send cross-origin messages via postMessage method from facebook.com domain. The

Continue readingFacebook DOM Based XSS using postMessage

Uncategorized

Disclose content of internal Facebook javascript modules ( Revisited )

July 23, 2020July 23, 2020 qw

This bug could have allowed a malicious user to disclose the content of internal Facebook Javascript modules which have constants/configurations/endpoints

Continue readingDisclose content of internal Facebook javascript modules ( Revisited )

Uncategorized

Admin disclosure of Facebook verified pages/ Disclose Facebook employee assigned to help a verified page.

July 2, 2020July 2, 2020 qw

Description This bug could allow an attacker to disclose the username of a page admin by only supplying the id

Continue readingAdmin disclosure of Facebook verified pages/ Disclose Facebook employee assigned to help a verified page.

Uncategorized

Privilege escalation in Partners Portal to Admin access

June 14, 2020June 14, 2020 qw

Description This bug could allow a malicious user with low permissions in a “Partners Portal” account, to upgrade his access

Continue readingPrivilege escalation in Partners Portal to Admin access

Uncategorized

Internal directories enumeration in www

June 14, 2020June 14, 2020 qw

Description This bug could allow an attacker to enumerate internal “www” or “flib” directories by finding sub-directories and “potentially” files

Continue readingInternal directories enumeration in www