By chaining two GraphQL IDOR vulnerabilities affecting the Facebook Leads Center a malicious user could have exposed the leads form details of any Facebook Page or Facebook Business Account.

Impact :

Advertisers spend a lot of time, energy and money optimizing their leads campaigns and doing countless A/B tests in order to get the right performing ad. …


This vulnerability could have let a malicious user access developer tasks list of any Facebook Application. Developer tasks are private informations that should be accessed only by the authorized developer of the concerned Facebook application.

While browsing https://developers.facebook.com/apps/ I noticed a GraphQL request that was returning the tasks list of my Facebook application.

By intercepting the request and changing the appId value with the ID of a third party Facebook Application, I was able to access to the tasks list of the targeted app.

Reproduction Steps

1) Send a POST request to https://www.facebook.com/api/graphql/


The vulnerability could have let a malicious user reveal the profile picture and FB profile of Facebook employees who create official announcement messages (supposed to be displayed to users as coming from Facebook).

Everything started when I received a notification regarding a Facebook Bug Bounty Program Announcement.

By checking the HTTP History on Blurp, I noticed that a GraphQL request was trigged while browsing the announcement page.

By analyzing the response of this request, I found a value named “creator_profile_pic_uri” that was returning an URL with a picture ID:


Subdomains enumeration + File bruteforcing + JS analysis = $10K Blind SSRF

This is a write-up about a SSRF vulnerability I found on Facebook.

The vulnerability could have allowed a malicious user to send internal requests to the Facebook corporate network.

1) Subdomains Enumeration

By doing some subdomains enumeration, I found the following subdomain: phishme.thefacebook.com


Hello world!

I have always been interested in the challenge of testing the security of a company like Facebook. With over 2.7 billion monthly active users, it is the biggest social network in the world.

That being said, here’s a quick write up on a distinct vulnerability I found and reported recently to Facebook.

The Story

While doing some subdomains enumeration, I found a subdomain which instantly raised my interest : https://legal.tapprd.thefacebook.com/

The reason being that servers used for “legal needs” usually contain important data.

I started googling afterwards and found the following endpoint indexed on the search results https://legal.tapprd.thefacebook.com/tapprd/auth/identity/logout

& so…

Amine Aboud

Entrepreneur & cyber security enthusiast doing bug bounty for fun.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store