c002/Facebook-Bug-Bounty-Write-ups

Hunting Bugs for Fun and Profit

2018 Facebook Bug Bounty Write-ups

• http://whitehatstories.blogspot.com/2018/03/setting-up-tests-for-any-app-or-pixel.html
• http://whitehatstories.blogspot.com/2018/04/hi-this-post-is-regarding-one-of-my.html
• http://whitehatstories.blogspot.com/2018/05/how-i-could-have-made-your-products-out.html
• http://www.askbuddie.com/unauthorized-comments-on-facebook-live-stream/
• https://asad0x01.blogspot.com/2018/03/see-unpublished-job-of-any-page.html
• https://asad0x01.blogspot.com/2018/05/toggling-comment-option-of-post.html
• https://ash-king.co.uk/downloading-any-file-via-facebook-android.html
• https://ash-king.co.uk/facebook-bug-bounty-09-18.html
• https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/
• https://bugbounty.blog/2018/09/18/facebook-750-reward-for-a-simple-bug/
• https://medium.com/@JubaBaghdad/how-i-was-able-to-delete-any-image-in-facebook-community-question-forum-a03ea516e327
• https://medium.com/@kankrale.rahul/dos-on-facebook-android-app-using-65530-characters-of-zero-width-no-break-space-db41ca8ded89
• https://medium.com/@markchristiandeduyo/misconfiguration-of-demographics-privacy-in-a-page-682feb1179f2
• https://medium.com/@maxpasqua/breaking-appointments-and-job-interview-schedules-with-malformed-times-edef103e46ba
• https://medium.com/@maxpasqua/chaining-two-vulnerabilities-to-break-facebook-appointment-times-for-the-second-time-ac639f8c8773
• https://medium.com/@maxpasqua/stealing-side-channel-attack-tokens-in-facebook-account-switcher-90c5944e3b58
• https://medium.com/@maxpasqua/unremovable-tags-in-facebook-page-reviews-656e095e69aa
• https://medium.com/@ritishkumarsingh/facebook-vulnerability-hiding-from-the-view-of-business-admin-in-the-business-manager-a04515fee9dd
• https://medium.com/@rohitcoder/email-id-phone-number-can-be-exposed-through-business-manager-e79b970ea288
• https://medium.com/@samm0uda/bruteforcing-instagram-accounts-passwords-without-limit-7eaeda606ea
• https://medium.com/@tnirmalz/facebook-bugbounty-disclosing-page-members-1178595cc520
• https://medium.com/@UpdateLap/idor-facebook-malicious-person-add-people-to-the-top-fans-4f1887aad85a
• https://medium.com/@UpdateLap/privileged-escalation-in-facebook-messenger-rooms-e71cb7275101
• https://medium.com/bugbountywriteup/add-comment-on-a-private-oculus-developer-bug-report-93f35bc80b2c
• https://medium.com/bugbountywriteup/add-description-to-instagram-posts-on-behalf-of-other-users-6500-7d55b4a24c5a
• https://medium.com/bugbountywriteup/bypass-admin-approval-mute-member-and-posting-permissions-for-only-admins-in-facebook-groups-ef476cb3d524
• https://medium.com/bugbountywriteup/creating-test-conversion-using-any-app-8b32ee0a735
• https://medium.com/bugbountywriteup/disclose-private-video-thumbnail-from-facebook-workplace-52b6ec4d73b7
• https://medium.com/bugbountywriteup/disclosure-of-facebook-page-admin-due-to-insecure-tagging-behavior-24ff09de5c29
• https://medium.com/bugbountywriteup/distorted-and-undeletable-posts-in-facebook-group-9424e15f5551
• https://medium.com/bugbountywriteup/how-i-was-able-to-generate-access-tokens-for-any-facebook-user-6b84392d0342
• https://medium.com/bugbountywriteup/make-any-unit-in-facebook-groups-undeletable-efb68e26adb9
• https://philippeharewood.com/access-to-fbconnections/
• https://philippeharewood.com/application-secret-embedded-in-login-flow-for-facebook-swag-store/
• https://philippeharewood.com/change-the-background-of-3d-posts-for-any-facebook-user/
• https://philippeharewood.com/create-learning-units-for-any-group/
• https://philippeharewood.com/determine-members-in-a-closed-facebook-group/
• https://philippeharewood.com/disclose-facebook-page-admins-in-3d/
• https://philippeharewood.com/disclose-page-admins-via-facebook-camera-effects/
• https://philippeharewood.com/disclose-page-admins-via-gaming-dashboard-bans/
• https://philippeharewood.com/disclose-page-admins-via-job-source-recruiter-requests/
• https://philippeharewood.com/disclose-page-admins-via-our-story-feature/
• https://philippeharewood.com/disclose-page-admins-via-watch-parties-in-a-facebook-group/
• https://philippeharewood.com/facebook-business-takeover/
• https://philippeharewood.com/path-disclosure-in-instagram-ads-graphql/
• https://philippeharewood.com/send-payment-invoices-as-any-facebook-page/
• https://philippeharewood.com/unintended-control-over-the-email-body-in-partner-integration-email-instructions/
• https://philippeharewood.com/view-facebook-friends-for-any-user/
• https://philippeharewood.com/view-private-instagram-photos/
• https://philippeharewood.com/view-the-bug-subscriptions-for-any-oculus-user/
• https://philippeharewood.com/view-the-email-subscriptions-for-any-oculus-user/
• https://philippeharewood.com/view-the-facebook-stories-for-any-media-effect/
• https://philippeharewood.com/view-the-vr-experiences-for-any-oculus-user/
• https://rpadovani.com/facebook-responsible-disclosure
• https://wongmjane.com/post/disclose-fb-intern-server-info-with-a-strange-poll/
• https://wongmjane.com/post/reveal-fb-employee-behind-funfact/
• https://wongmjane.com/post/view-insights-for-any-fb-marketplace-product/
• https://www.amolbaikar.com/xss-on-facebook-instagram-cdn-server-bypassing-signature-protection/
• https://www.amolbaikar.com/xss-on-facebooks-acquisition-oculus-cdn/
• https://www.facebook.com/notes/kinghackx/improper-permissions-when-posting-stories-in-facebook-group/143172329851275
• https://www.facebook.com/notes/kinghackx/prevent-group-admin-from-seeing-stories-within-the-group/143174459851062
• https://www.stueotue.xyz/2018/05/create-undeletable-post-in-groupevent.html
• https://www.stueotue.xyz/2018/10/disclose-facebook-learning-unit-group.html
• https://www.youtube.com/watch?v=EXNchVewMF0
• https://www.youtube.com/watch?v=H0aQPcuskMo
• https://www.youtube.com/watch?v=ic-R8jtRoME
• https://www.youtube.com/watch?v=N_i8sPlbtZs
• https://www.youtube.com/watch?v=Y5BUqdY_M1M

2017 Facebook Bug Bounty Write-ups

• http://asad0x01.blogspot.com/2017/05/facebook-bug-bountycommenting-on-non.html
• http://asad0x01.blogspot.com/2017/05/facebook-buggetting-other-users-ip.html
• http://asad0x01.blogspot.com/2017/10/facebook-bug-bounty-view-game-scores-of-any-user.html
• http://whitehatstories.blogspot.com/2017/05/oauth-token-validation-bug-in-facebook.html
• http://whitehatstories.blogspot.com/2017/09/how-i-could-have-crashed-page-role.html
• http://whitehatstories.blogspot.com/2018/01/how-i-could-have-hacked-facebook.html
• https://blog.darabi.me/2017/11/image-removal-vulnerability-in-facebook.html
• https://medium.com/@joshuaregio/enable-comment-mirroring-as-an-analyst-2c226f367c47
• https://medium.com/@joshuaregio/modifying-any-ad-space-and-placement-e22c7cec050f
• https://medium.com/@joshuaregio/using-app-ads-helper-as-an-analytic-user-e751fcf9c594
• https://medium.com/@lokeshdlk77/bypass-oauth-nonce-and-steal-oculus-response-code-faa9cc8d0d37
• https://medium.com/@lokeshdlk77/stealing-facebook-mailchimp-application-oauth-2-0-access-token-3af51f89f5b0
• https://medium.com/@maxpasqua/adding-any-user-to-facebook-rooms-5cde1692c809
• https://medium.com/@maxpasqua/privileged-de-escalation-in-facebook-ads-manager-28aa42300318
• https://medium.com/@maxpasqua/vertical-privileged-escalation-in-facebook-rooms-11766502c911
• https://medium.com/@maxpasqua/xss-in-facebook-cdn-through-ar-studio-effects-6d3a670aa7fe
• https://medium.com/@maxpasqua/xss-in-oculus-rifts-cdn-f5bac5ec7b9c
• https://medium.com/@samm0uda/a-misconfiguration-in-techprep-fb-com-rest-api-allowed-me-to-modify-any-user-profile-9dd0ff99d757
• https://medium.com/@samm0uda/how-i-was-able-to-upload-files-to-api-techprep-fb-com-74308ff767b
• https://medium.com/@vishnu0002/instagram-multi-factor-authentication-bypass-924d963325a1
• https://medium.com/@zahidali_93675/cross-site-request-forgery-in-facebook-86087201d8c
• https://medium.com/@zahidali_93675/posting-on-groups-as-people-whenever-their-email-was-known-by-an-attacker-9dc8d7baf970
• https://medium.com/@zk34911/facebook-bug-bounty-how-i-was-able-to-enumerate-instagram-accounts-who-had-enabled-2fa-two-step-fddba9e9741c
• https://medium.com/bugbountywriteup/whatsapp-dos-vulnerability-in-ios-android-d896f76d3253
• https://medium.freecodecamp.org/hacking-tinder-accounts-using-facebook-accountkit-d5cc813340d1
• https://omespino.com/facebook-bug-bounty-getting-access-to-prompt-debug-dialog-and-serialized-tool-on-main-website-facebook-com/
• https://opnsec.com/2018/03/stored-xss-on-facebook/
• https://pagefault.me/2017/01/12/fb-open-redirect/
• https://philippeharewood.com/a-walk-in-the-workplace/
• https://philippeharewood.com/change-trust-project-credibility-indicators-as-an-analyst/
• https://philippeharewood.com/de-anonymizing-facebook-ads/
• https://philippeharewood.com/delete-a-hotel-object-from-a-facebook-product-catalog-using-public_profile-permission/
• https://philippeharewood.com/determine-a-user-from-a-private-phone-number/
• https://philippeharewood.com/disclose-users-with-roles-on-facebook-pages/
• https://philippeharewood.com/facebook-ad-spend-details-leaking-for-facebook-marketing-partners/
• https://philippeharewood.com/facebook-graphql-csrf/
• https://philippeharewood.com/facebook-stories-disclose-facebook-friend-list/
• https://philippeharewood.com/find-instagram-contacts-for-any-user-on-facebook/
• https://philippeharewood.com/find-mingle-suggestions-for-any-facebook-user-revisited/
• https://philippeharewood.com/find-mingle-suggestions-for-any-facebook-user/
• https://philippeharewood.com/make-recruiting-referrals-on-behalf-of-facebook/
• https://philippeharewood.com/order-facebook-friends-by-facebook-recruiting-technical-coefficient/
• https://philippeharewood.com/posting-gifs-as-anyone-on-facebook/
• https://philippeharewood.com/searching-internal-gatekeeper-constants/
• https://philippeharewood.com/see-if-any-facebook-user-is-marked-in-a-crisis/
• https://philippeharewood.com/view-former-members-of-a-facebook-group/
• https://philippeharewood.com/view-instant-articles-traffic-lift-for-any-page/
• https://philippeharewood.com/view-saved-offers-of-another-user/
• https://philippeharewood.com/view-the-ads-retention-curve-completion-rate-for-any-ad-account/
• https://philippeharewood.com/view-the-assigned-roles-and-emails-of-an-instagram-account/
• https://philippeharewood.com/view-the-job-applications-of-a-page-as-an-analyst/
• https://philippeharewood.com/view-the-owned-test-users-for-facebook-employees/
• https://stephensclafani.com/2017/03/21/stealing-messenger-com-login-nonces/
• https://twitter.com/0x01alka/status/826520689595265026
• https://w00troot.blogspot.com/2017/12/how-i-found-ssrf-on-thefacebookcom.html
• https://www.amolbaikar.com/facebook-source-code-disclosure-in-ads-api/
• https://www.facebook.com/DynamicW0rld/videos/537437603273104/
• https://www.josipfranjkovic.com/blog/facebook-friendlist-paymentcard-leak
• https://www.josipfranjkovic.com/blog/facebook-partners-portal-account-takeover
• https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf
• https://www.seekurity.com/blog/general/business-logic-vulnerabilities-series-a-story-of-a-4-years-old-and-counting-facebook-security-bug/
• https://www.seekurity.com/blog/general/business-logic-vulnerabilities-series-how-i-became-invisible-and-immune-to-blocking-on-instagram/
• https://www.wired.com/story/facebook-bug-could-let-advertisers-see-your-phone-number/
• https://www.youtube.com/watch?v=3KwGmKucayg
• https://www.youtube.com/watch?v=DvNHjh0EJNs
• https://www.youtube.com/watch?v=M6oVdgFZqf0