Brief Summary

My name is Youssef Sammouda. I am a penetration tester with a strong background in testing web and mobile applications. Throughout
the past five years, I have focused on developing web applications in various programming languages and performing vulnerability assessments on
many companies and mainly on Facebook through their bug bounty program and live hacking
competitions.

Skills

● Manual code analysis for common security vulnerabilities.
● Blackbox security testing of web applications and web/mobile APIs.
● Coding in PHP (5 and 7), Python and basic knowledge of C/Java, Shell programming with Bash.
● Working and security knowledge of Linux, macOS and Windows OSs
● Proficient in English, French and Arabic

Professional Experience

Found more than 80 valid vulnerabilities in Facebook owned websites and I reported them to the company
under the Whitehat bug bounty program.
Some of these vulnerabilities are described in detail in the blog section of my website.

Highlights:

  • Returning data fragments of any Facebook object through exceptions which lead to the disclosure of sensitive information about Facebook infrastructure and users.
  • Generate access tokens for any Facebook user which lead to accessing private information via Facebook Graph API.
  • Multiple bugs that allowed the access to files hosted in internal CDNs that includedmobile users crash-logs, Facebook employees uploaded files.
  • Multiple Cross-site scripting vulnerabilities that allowed a malicious actor to take over anyuser Facebook account after tricking him/her to visit his website.
  • Critical impact authentication vulnerabilities, enabling account takeovers or making theuser do certain actions with or without his/her interaction through CSRFs or due tomissing checking.
  • Authorization vulnerabilities that bypassed Facebook’s privacy models: creating/deleting user’s content, viewing emails, credit card information, page admins

Awards:

  • Top contributor to Facebook’s bug bounty program ( 2017, 2018 – 5th place, 2019 – 1st place, 2020 – 1st place)
  • Participated in two live hacking competitions organised by Facebook ( Vancouver 2019 – 1st place, BountyCon 2020 – 2nd place)

Volunteer Work
OWASP QRLJacking Project, OWASP. Maintainer of the OWASP QRLJacking project.