PinnedAmine AboudUncovering a blind SSRF Vulnerability in Facebook’s Infrastructure ($10000 — Bug Bounty)Subdomains Enumeration + File Bruteforcing + Code Review = $10K Blind SSRFDec 5, 20206Dec 5, 20206
Amine AboudIDOR Vulnerability Allowed Removal of Any Contact Point from the Address Book Database of Facebook…This write-up details an IDOR vulnerability I discovered in the Facebook Contacts Removal Tool. This vulnerability could have allowed…Apr 27Apr 27
Amine AboudHost Header Manipulation Leading to Unauthorized Access to Apple’s Internal Slack bot (Bug Bounty)This article is a repost from my previous blog, archived here for accessibility.Apr 7Apr 7
Amine AboudGraphQL IDOR: Disclose Leads Form Details of Any Facebook Business Account or Page (Bug Bounty)By chaining two GraphQL IDOR vulnerabilities affecting the Facebook Leads Center a malicious actor could have exposed the leads form…May 22, 20211May 22, 20211
Amine AboudGraphQL IDOR: Access Developer Tasks List of any Facebook Application (Bug Bounty)This vulnerability could have let a malicious user access developer tasks list of any Facebook Application. Developer tasks are private…Feb 1, 20211Feb 1, 20211
Amine AboudRevealing Facebook Employees’ Pictures and Profiles in Official Announcement Messages (Bug Bounty)The vulnerability could have let a malicious user reveal the profile picture and FB profile of Facebook employees who create official…Feb 1, 20212Feb 1, 20212