Description This bug could have allowed an attacker to raise a PHP exception after manipulating with some parameters in the

Continue readingInternal path disclosure in Instagram server

Description This bug could have allowed a malicious user to access dashboard designed for certain mobile carriers to refer to

Continue readingAccess portal of Facebook mobile retailers and see earnings and referrals reports.

Description This bug could have allowed an attacker to send emails from legal_noreply@fb.com to any email address and change the

Continue readingSend emails on behalf of legal_noreply@fb.com

Description This bug could have allowed an attacker to view ads plans of a business without having a role or

Continue readingDownload predictions details of ads plans of any business.

Description This bug could have allowed an attacker with no role in a page to extract the list of financial

Continue readingView orders and financial reports lists for any page shop.

This bug could have allowed an attacker to download files which have been uploaded previously by employees or normal users

Continue readingDisclose files content from Facebook internal CDNs

This bug could have allowed a malicious user to disclose the content of internal Facebook Javascript modules which have constants/configurations/endpoints

Continue readingDisclose the content of internal Facebook Javascript modules.

This could allowed an attacker who has access to a user’s web session to use DYI to download all of

Continue readingBypass password confirmation in Facebook “DYI” feature

This bug could have allowed malicious users to send requests with CSRF tokens to arbitrary endpoints on Facebook which could

Continue readingFacebook CSRF protection bypass which leads to Account Takeover.

This bug could be exploited by a malicious user to generate reports about audience network for any Facebook business.