Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/1hack0/facebook-bug-bounty-write-ups

Hunting Bugs for Fun and Profit
https://github.com/1hack0/facebook-bug-bounty-write-ups

Last synced: 11 days ago
JSON representation

Hunting Bugs for Fun and Profit

Awesome Lists containing this project

README 

        
## 2018 Facebook Bug Bounty Write-ups

* http://whitehatstories.blogspot.com/2018/03/setting-up-tests-for-any-app-or-pixel.html

* http://whitehatstories.blogspot.com/2018/04/hi-this-post-is-regarding-one-of-my.html

* http://whitehatstories.blogspot.com/2018/05/how-i-could-have-made-your-products-out.html

* http://www.askbuddie.com/unauthorized-comments-on-facebook-live-stream/

* https://asad0x01.blogspot.com/2018/03/see-unpublished-job-of-any-page.html

* https://asad0x01.blogspot.com/2018/05/toggling-comment-option-of-post.html

* https://ash-king.co.uk/downloading-any-file-via-facebook-android.html

* https://ash-king.co.uk/facebook-bug-bounty-09-18.html

* https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/

* https://bugbounty.blog/2018/09/18/facebook-750-reward-for-a-simple-bug/

* https://medium.com/@JubaBaghdad/how-i-was-able-to-delete-any-image-in-facebook-community-question-forum-a03ea516e327

* https://medium.com/@kankrale.rahul/dos-on-facebook-android-app-using-65530-characters-of-zero-width-no-break-space-db41ca8ded89

* https://medium.com/@markchristiandeduyo/misconfiguration-of-demographics-privacy-in-a-page-682feb1179f2

* https://medium.com/@maxpasqua/breaking-appointments-and-job-interview-schedules-with-malformed-times-edef103e46ba

* https://medium.com/@maxpasqua/chaining-two-vulnerabilities-to-break-facebook-appointment-times-for-the-second-time-ac639f8c8773

* https://medium.com/@maxpasqua/stealing-side-channel-attack-tokens-in-facebook-account-switcher-90c5944e3b58

* https://medium.com/@maxpasqua/unremovable-tags-in-facebook-page-reviews-656e095e69aa

* https://medium.com/@ritishkumarsingh/facebook-vulnerability-hiding-from-the-view-of-business-admin-in-the-business-manager-a04515fee9dd

* https://medium.com/@rohitcoder/email-id-phone-number-can-be-exposed-through-business-manager-e79b970ea288

* https://medium.com/@samm0uda/bruteforcing-instagram-accounts-passwords-without-limit-7eaeda606ea

* https://medium.com/@tnirmalz/facebook-bugbounty-disclosing-page-members-1178595cc520

* https://medium.com/@UpdateLap/idor-facebook-malicious-person-add-people-to-the-top-fans-4f1887aad85a

* https://medium.com/@UpdateLap/privileged-escalation-in-facebook-messenger-rooms-e71cb7275101

* https://medium.com/bugbountywriteup/add-comment-on-a-private-oculus-developer-bug-report-93f35bc80b2c

* https://medium.com/bugbountywriteup/add-description-to-instagram-posts-on-behalf-of-other-users-6500-7d55b4a24c5a

* https://medium.com/bugbountywriteup/bypass-admin-approval-mute-member-and-posting-permissions-for-only-admins-in-facebook-groups-ef476cb3d524

* https://medium.com/bugbountywriteup/creating-test-conversion-using-any-app-8b32ee0a735

* https://medium.com/bugbountywriteup/disclose-private-video-thumbnail-from-facebook-workplace-52b6ec4d73b7

* https://medium.com/bugbountywriteup/disclosure-of-facebook-page-admin-due-to-insecure-tagging-behavior-24ff09de5c29

* https://medium.com/bugbountywriteup/distorted-and-undeletable-posts-in-facebook-group-9424e15f5551

* https://medium.com/bugbountywriteup/how-i-was-able-to-generate-access-tokens-for-any-facebook-user-6b84392d0342

* https://medium.com/bugbountywriteup/make-any-unit-in-facebook-groups-undeletable-efb68e26adb9

* https://philippeharewood.com/access-to-fbconnections/

* https://philippeharewood.com/application-secret-embedded-in-login-flow-for-facebook-swag-store/

* https://philippeharewood.com/change-the-background-of-3d-posts-for-any-facebook-user/

* https://philippeharewood.com/create-learning-units-for-any-group/

* https://philippeharewood.com/determine-members-in-a-closed-facebook-group/

* https://philippeharewood.com/disclose-facebook-page-admins-in-3d/

* https://philippeharewood.com/disclose-page-admins-via-facebook-camera-effects/

* https://philippeharewood.com/disclose-page-admins-via-gaming-dashboard-bans/

* https://philippeharewood.com/disclose-page-admins-via-job-source-recruiter-requests/

* https://philippeharewood.com/disclose-page-admins-via-our-story-feature/

* https://philippeharewood.com/disclose-page-admins-via-watch-parties-in-a-facebook-group/

* https://philippeharewood.com/facebook-business-takeover/

* https://philippeharewood.com/path-disclosure-in-instagram-ads-graphql/

* https://philippeharewood.com/send-payment-invoices-as-any-facebook-page/

* https://philippeharewood.com/unintended-control-over-the-email-body-in-partner-integration-email-instructions/

* https://philippeharewood.com/view-facebook-friends-for-any-user/

* https://philippeharewood.com/view-private-instagram-photos/

* https://philippeharewood.com/view-the-bug-subscriptions-for-any-oculus-user/

* https://philippeharewood.com/view-the-email-subscriptions-for-any-oculus-user/

* https://philippeharewood.com/view-the-facebook-stories-for-any-media-effect/

* https://philippeharewood.com/view-the-vr-experiences-for-any-oculus-user/

* https://rpadovani.com/facebook-responsible-disclosure

* https://wongmjane.com/post/disclose-fb-intern-server-info-with-a-strange-poll/

* https://wongmjane.com/post/reveal-fb-employee-behind-funfact/

* https://wongmjane.com/post/view-insights-for-any-fb-marketplace-product/

* https://www.amolbaikar.com/xss-on-facebook-instagram-cdn-server-bypassing-signature-protection/

* https://www.amolbaikar.com/xss-on-facebooks-acquisition-oculus-cdn/

* https://www.facebook.com/notes/kinghackx/improper-permissions-when-posting-stories-in-facebook-group/143172329851275

* https://www.facebook.com/notes/kinghackx/prevent-group-admin-from-seeing-stories-within-the-group/143174459851062

* https://www.stueotue.xyz/2018/05/create-undeletable-post-in-groupevent.html

* https://www.stueotue.xyz/2018/10/disclose-facebook-learning-unit-group.html

* https://www.youtube.com/watch?v=EXNchVewMF0

* https://www.youtube.com/watch?v=H0aQPcuskMo

* https://www.youtube.com/watch?v=ic-R8jtRoME

* https://www.youtube.com/watch?v=N_i8sPlbtZs

* https://www.youtube.com/watch?v=Y5BUqdY_M1M



## 2017 Facebook Bug Bounty Write-ups

* http://asad0x01.blogspot.com/2017/05/facebook-bug-bountycommenting-on-non.html

* http://asad0x01.blogspot.com/2017/05/facebook-buggetting-other-users-ip.html

* http://asad0x01.blogspot.com/2017/10/facebook-bug-bounty-view-game-scores-of-any-user.html

* http://whitehatstories.blogspot.com/2017/05/oauth-token-validation-bug-in-facebook.html

* http://whitehatstories.blogspot.com/2017/09/how-i-could-have-crashed-page-role.html

* http://whitehatstories.blogspot.com/2018/01/how-i-could-have-hacked-facebook.html

* https://blog.darabi.me/2017/11/image-removal-vulnerability-in-facebook.html

* https://medium.com/@joshuaregio/enable-comment-mirroring-as-an-analyst-2c226f367c47

* https://medium.com/@joshuaregio/modifying-any-ad-space-and-placement-e22c7cec050f

* https://medium.com/@joshuaregio/using-app-ads-helper-as-an-analytic-user-e751fcf9c594

* https://medium.com/@lokeshdlk77/bypass-oauth-nonce-and-steal-oculus-response-code-faa9cc8d0d37

* https://medium.com/@lokeshdlk77/stealing-facebook-mailchimp-application-oauth-2-0-access-token-3af51f89f5b0

* https://medium.com/@maxpasqua/adding-any-user-to-facebook-rooms-5cde1692c809

* https://medium.com/@maxpasqua/privileged-de-escalation-in-facebook-ads-manager-28aa42300318

* https://medium.com/@maxpasqua/vertical-privileged-escalation-in-facebook-rooms-11766502c911

* https://medium.com/@maxpasqua/xss-in-facebook-cdn-through-ar-studio-effects-6d3a670aa7fe

* https://medium.com/@maxpasqua/xss-in-oculus-rifts-cdn-f5bac5ec7b9c

* https://medium.com/@samm0uda/a-misconfiguration-in-techprep-fb-com-rest-api-allowed-me-to-modify-any-user-profile-9dd0ff99d757

* https://medium.com/@samm0uda/how-i-was-able-to-upload-files-to-api-techprep-fb-com-74308ff767b

* https://medium.com/@vishnu0002/instagram-multi-factor-authentication-bypass-924d963325a1

* https://medium.com/@zahidali_93675/cross-site-request-forgery-in-facebook-86087201d8c

* https://medium.com/@zahidali_93675/posting-on-groups-as-people-whenever-their-email-was-known-by-an-attacker-9dc8d7baf970

* https://medium.com/@zk34911/facebook-bug-bounty-how-i-was-able-to-enumerate-instagram-accounts-who-had-enabled-2fa-two-step-fddba9e9741c

* https://medium.com/bugbountywriteup/whatsapp-dos-vulnerability-in-ios-android-d896f76d3253

* https://medium.freecodecamp.org/hacking-tinder-accounts-using-facebook-accountkit-d5cc813340d1

* https://omespino.com/facebook-bug-bounty-getting-access-to-prompt-debug-dialog-and-serialized-tool-on-main-website-facebook-com/

* https://opnsec.com/2018/03/stored-xss-on-facebook/

* https://pagefault.me/2017/01/12/fb-open-redirect/

* https://philippeharewood.com/a-walk-in-the-workplace/

* https://philippeharewood.com/change-trust-project-credibility-indicators-as-an-analyst/

* https://philippeharewood.com/de-anonymizing-facebook-ads/

* https://philippeharewood.com/delete-a-hotel-object-from-a-facebook-product-catalog-using-public_profile-permission/

* https://philippeharewood.com/determine-a-user-from-a-private-phone-number/

* https://philippeharewood.com/disclose-users-with-roles-on-facebook-pages/

* https://philippeharewood.com/facebook-ad-spend-details-leaking-for-facebook-marketing-partners/

* https://philippeharewood.com/facebook-graphql-csrf/

* https://philippeharewood.com/facebook-stories-disclose-facebook-friend-list/

* https://philippeharewood.com/find-instagram-contacts-for-any-user-on-facebook/

* https://philippeharewood.com/find-mingle-suggestions-for-any-facebook-user-revisited/

* https://philippeharewood.com/find-mingle-suggestions-for-any-facebook-user/

* https://philippeharewood.com/make-recruiting-referrals-on-behalf-of-facebook/

* https://philippeharewood.com/order-facebook-friends-by-facebook-recruiting-technical-coefficient/

* https://philippeharewood.com/posting-gifs-as-anyone-on-facebook/

* https://philippeharewood.com/searching-internal-gatekeeper-constants/

* https://philippeharewood.com/see-if-any-facebook-user-is-marked-in-a-crisis/

* https://philippeharewood.com/view-former-members-of-a-facebook-group/

* https://philippeharewood.com/view-instant-articles-traffic-lift-for-any-page/

* https://philippeharewood.com/view-saved-offers-of-another-user/

* https://philippeharewood.com/view-the-ads-retention-curve-completion-rate-for-any-ad-account/

* https://philippeharewood.com/view-the-assigned-roles-and-emails-of-an-instagram-account/

* https://philippeharewood.com/view-the-job-applications-of-a-page-as-an-analyst/

* https://philippeharewood.com/view-the-owned-test-users-for-facebook-employees/

* https://stephensclafani.com/2017/03/21/stealing-messenger-com-login-nonces/

* https://twitter.com/0x01alka/status/826520689595265026

* https://w00troot.blogspot.com/2017/12/how-i-found-ssrf-on-thefacebookcom.html

* https://www.amolbaikar.com/facebook-source-code-disclosure-in-ads-api/

* https://www.facebook.com/DynamicW0rld/videos/537437603273104/

* https://www.josipfranjkovic.com/blog/facebook-friendlist-paymentcard-leak

* https://www.josipfranjkovic.com/blog/facebook-partners-portal-account-takeover

* https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf

* https://www.seekurity.com/blog/general/business-logic-vulnerabilities-series-a-story-of-a-4-years-old-and-counting-facebook-security-bug/

* https://www.seekurity.com/blog/general/business-logic-vulnerabilities-series-how-i-became-invisible-and-immune-to-blocking-on-instagram/

* https://www.wired.com/story/facebook-bug-could-let-advertisers-see-your-phone-number/

* https://www.youtube.com/watch?v=3KwGmKucayg

* https://www.youtube.com/watch?v=DvNHjh0EJNs

* https://www.youtube.com/watch?v=M6oVdgFZqf0

* https://www.youtube.com/watch?v=b85Q8lakfTw