Posts
-
Account Takeover in Canvas Apps served in Comet due to failure in Cross-Window-Message Origin validation
-
DOM-XSS in Instant Games due to improper verification of supplied URLs
-
Account takeover of Facebook/Oculus accounts due to First-Party access_token stealing
-
Multiple bugs chained to takeover Facebook Accounts which uses Gmail.
-
More secure Facebook Canvas Part 2: More Account Takeovers
-
Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts
-
More secure Facebook Canvas : Tale of $126k worth of bugs that lead to Facebook Account Takeovers
-
Oversightboard.com site-wide CSRF due to missing checking
-
Disclose unconfirmed email/phone of a Facebook user
-
Oculus SSO "Account Linking" bug leads to account takeover on third party websites and inside VR Games/Apps
-
One-click reflected XSS in www.instagram.com due to unfiltered URI schemes leads to account takeover
-
Identify a Facebook user by his phone number despite privacy settings set
-
Account takeover of Instagram accounts due to unrestricted permissions of third-party application's generated tokens
-
Facebook account takeover due to unsafe redirects after the OAuth flow
-
Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow
-
Facebook account takeover due to a wide platform bug in ajaxpipe responses
-
Expose Facebook object type (including private objects)
-
Expose information about Partner accounts in Partner portal
-
Ability to find Facebook employee's test accounts which lead to the disclosure of internal information.
-
Disclose internal CMS objects content
-
Confirm if an invitation is sent to a specific email in Partners Portal / Possibility to resend the invitation
-
XSS in Facebook CDN due to improper filtering of uploaded files extensions
-
Enumerate internal cached URLs which lead to data exposure
-
Leaking Facebook user information to external websites / Setting some cookies values
-
Open redirect in Instagram.com
-
Access private information about SparkAR effect owners who has a publicly viewable portfolio
-
Make recruiting referrals on behalf of employees
-
Leak of internal categorySets names and employees test accounts.
-
Delete linked payments accounts of a Facebook page (or user)
-
Access files uploaded by employees to internal CDNs / Regenerate URL signature of user uploaded content.
-
URLs in img tag aren't passed through safe_image.php which lead to exposure of Facebook users IPs.
-
View orders and financial reports lists for any page shop
-
Expose the email address of Workplace users
-
XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers
-
Bad regex used in Facebook Javascript SDK leads to account takeovers in websites that included it
-
Facebook DOM Based XSS using postMessage
-
Disclose content of internal Facebook javascript modules ( Revisited )
-
Admin disclosure of Facebook verified pages/ Disclose Facebook employee assigned to help a verified page.
-
Privilege escalation in Partners Portal to Admin access
-
Internal directories enumeration in www
-
Disclose the Instagram account linked to a Facebook user account or page
-
Disclose internal files related to testing of some Facebook tools
-
Exposure of Facebook object type by knowing the object ID
-
Add draft subtitles to any Facebook video and Full Path Disclosure
-
Generate valid signatures for files hosted in Facebook CDNs.
-
Ability to bruteforce Instagram account's password due to lack of rate limitation protection
-
Facebook CSRF bug which lead to Instagram Partial account takeover.
-
Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover
-
Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge
-
HTML to PDF converter bug leads to RCE in Facebook server.
-
Internal path disclosure in Instagram server
-
Access portal of Facebook mobile retailers and see earnings and referrals reports.
-
Send emails on behalf of legal_noreply@fb.com
-
Download predictions details of ads plans of any business.
-
View orders and financial reports lists for any page shop.
-
Disclose files content from Facebook internal CDNs
-
Disclose the content of internal Facebook Javascript modules.
-
Bypass password confirmation in Facebook "DYI" feature
-
Facebook CSRF protection bypass which leads to Account Takeover.
-
Export Facebook audience network reports of any business
-
Leak of private/in-development app ids, names and translation requests
-
Internal paths disclosure due to improper exception handling
-
Enroll in Facebook Ad-break program without Facebook approval
-
Disclose page violations and its eligibility to use Ad-breaks
-
Disclose page's admins and its Monetization payout details
-
Disclose Instagram business account linked to a Facebook page
-
Change payment account of any Facebook commerce page
-
Expose business email and payment account balance of any Facebook commerce page.
-
Bruteforce Instagram account's passwords (lack of rate limiting protection).
-
Reveal if a Facebook merchant page has pending or completed orders.
-
Generate Access Tokens for any Facebook user
-
Modify users profiles of techprep.fb.com
-
Uploading files to api.techprep.fb.com
subscribe via RSS