By chaining two GraphQL IDOR vulnerabilities affecting the Facebook Leads Center a malicious user could have exposed the leads form details of any Facebook Page or Facebook Business Account.
Advertisers spend a lot of time, energy and money optimizing their leads campaigns and doing countless A/B tests in order to…
This vulnerability could have let a malicious user access developer tasks list of any Facebook Application. Developer tasks are private informations that should be accessed only by the authorized developer of the concerned Facebook application.
While browsing https://developers.facebook.com/apps/ …
The vulnerability could have let a malicious user reveal the profile picture and FB profile of Facebook employees who create official announcement messages (supposed to be displayed to users as coming from Facebook).
Everything started when I received a notification regarding a Facebook Bug Bounty Program Announcement.
By checking the…
Subdomains enumeration + File bruteforcing + JS analysis = $10K Blind SSRF
This is a write-up about a SSRF vulnerability I found on Facebook.
The vulnerability could have allowed a malicious user to send internal requests to the Facebook corporate network.
By doing some subdomains enumeration, I found the following…
Hello world!
I have always been interested in the challenge of testing the security of a company like Facebook. With over 2.7 billion monthly active users, it is the biggest social network in the world.
That being said, here’s a quick write up on a distinct vulnerability I found and…
