About Me

My name is Youssef Sammouda, and I am a penetration tester specializing in web and mobile application security. Over the past eight years, I have developed a strong background in both building web applications using various programming languages and conducting comprehensive vulnerability assessments. Much of my experience comes from participating in bug bounty programs and live hacking competitions, notably with Facebook.

Skills

  • Manual code analysis to identify common security vulnerabilities
  • Blackbox security testing of web applications and web/mobile APIs
  • Proficient in PHP (versions 5 and 7), Python, with basic knowledge of C, Java, and Bash shell scripting
  • Experienced with Linux, macOS, and Windows operating systems from both usage and security perspectives
  • Fluent in English, French, and Arabic

Professional Experience

I have discovered and responsibly disclosed more than 200 valid vulnerabilities in Facebook-owned websites through their Whitehat bug bounty program. Many of these vulnerabilities are documented in detail in the blog section of my website.

Highlights include:

  • Exposure of sensitive Facebook infrastructure and user information by retrieving data fragments via exception handling
  • Generation of access tokens for any Facebook user, enabling unauthorized access to private data through the Facebook Graph API
  • Exploitation of bugs allowing access to files hosted on internal CDNs, including mobile user crash logs and employee-uploaded files
  • Multiple cross-site scripting (XSS) vulnerabilities leading to account takeover scenarios through social engineering
  • Critical authentication flaws enabling account takeovers or unauthorized actions via CSRF and improper validation
  • Authorization bypasses that circumvent Facebook’s privacy controls, such as unauthorized content creation/deletion and viewing private information like emails and credit card details

Awards

  • Top contributor to Facebook’s bug bounty program:
    • 2017, 2018 — 5th place
    • 2019, 2020, 2021, 2022, 2023, 2024 — 1st place
  • Winner of Facebook live hacking competitions:
    • Vancouver 2019 — 1st place
    • BountyCon 2020 — 2nd place

Volunteer Work

Maintainer of the OWASP QRLJacking Project, contributing to improving security awareness and tooling within the community.

Feel free to check out my blog for detailed write-ups on some of my discoveries.