The vulnerability could have let a malicious user reveal the profile picture and FB profile of Facebook employees who create official announcement messages (supposed to be displayed to users as coming from Facebook).

Everything started when I received a notification regarding a Facebook Bug Bounty Program Announcement.

By checking the HTTP History on Blurp, I noticed that a GraphQL request was trigged while browsing the announcement page.

By analyzing the response of this request, I found a value named “creator_profile_pic_uri” that was returning an URL with a picture ID:

Subdomains enumeration + File bruteforcing + JS analysis = $10K Blind SSRF

This is a write-up about a SSRF vulnerability I found on Facebook.

The vulnerability could have allowed a malicious user to send internal requests to the Facebook corporate network.

1) Subdomains Enumeration

By doing some subdomains enumeration, I found the following subdomain: phishme.thefacebook.com

Hello world!

I have always been interested in the challenge of testing the security of a company like Facebook. With over 2.7 billion monthly active users, it is the biggest social network in the world.

That being said, here’s a quick write up on a distinct vulnerability I found and reported recently to Facebook.

The Story

While doing some subdomains enumeration, I found a subdomain which instantly raised my interest : https://legal.tapprd.thefacebook.com/

The reason being that servers used for “legal needs” usually contain important data.

I started googling afterwards and found the following endpoint indexed on the search results https://legal.tapprd.thefacebook.com/tapprd/auth/identity/logout

& so…