This vulnerability could have let a malicious user access developer tasks list of any Facebook Application. Developer tasks are private informations that should be accessed only by the authorized developer of the concerned Facebook application. While browsing https://developers.facebook.com/apps/ …

The vulnerability could have let a malicious user reveal the profile picture and FB profile of Facebook employees who create official announcement messages (supposed to be displayed to users as coming from Facebook). Everything started when I received a notification regarding a Facebook Bug Bounty Program Announcement. By checking the…

Subdomains enumeration + File bruteforcing + JS analysis = $10K Blind SSRF This is a write-up about a SSRF vulnerability I found on Facebook. The vulnerability could have allowed a malicious user to send internal requests to the Facebook corporate network. 1) Subdomains Enumeration By doing some subdomains enumeration, I found the following…

Hello world! I have always been interested in the challenge of testing the security of a company like Facebook. With over 2.7 billion monthly active users, it is the biggest social network in the world. That being said, here’s a quick write up on a distinct vulnerability I found and…