One-click reflected XSS in www.instagram.com due to unfiltered URI schemes leads to account takeover
Description On the desktop version of www.instagram.com, it’s possible to exploit a reflected XSS bug in some scenarios when the
From Our Blog
Identify a Facebook user by his phone number despite privacy settings set
Description This bug could allow an attacker to identify if a phone number is linked to a Facebook user account
Continue readingIdentify a Facebook user by his phone number despite privacy settings set
Account takeover of Instagram accounts due to unrestricted permissions of third-party application’s generated tokens
Description Access tokens returned when an Instagram user authorize a third-party Instagram application which was created to use the Instagram
Facebook account takeover due to unsafe redirects after the OAuth flow
Description This bug could allow a malicious user to takeover the Facebook account after stealing a first-party access_token issued to apps.crowdtangle.com. The
Continue readingFacebook account takeover due to unsafe redirects after the OAuth flow
Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow
This bug could allow a malicious user to takeover Facebook or Instagram accounts due to missing URL path checking in
Continue readingFacebook account takeover due to a bypass of allowed callback URLs in the OAuth flow
Facebook account takeover due to a wide platform bug in ajaxpipe responses
This bug could allow a malicious user to steal the access_token/code of a first party Facebook application and use it
Continue readingFacebook account takeover due to a wide platform bug in ajaxpipe responses
Expose Facebook object type (including private objects)
Description This bug could allow an attacker to disclose the object type of a Facebook object ID supplied. This works
Continue readingExpose Facebook object type (including private objects)
Expose information about Partner accounts in Partner portal
Description This bug could allow an attacker to expose some information about a Partner account in Partners Portal by only
Continue readingExpose information about Partner accounts in Partner portal
Ability to find Facebook employee’s test accounts which lead to the disclosure of internal information.
Description This bug was not actually a real vulnerability however a weakness in the way employees test accounts user ids
Disclose internal CMS objects content
Description This bug was found in the CMS WYSIWYG tool which is used to create CMS objects internally and was