corrupted-brain/Facebook-Bug-Bounty-Writeups

🛡️ Facebook Bug Bounty Writeups Collection ✍️

💖 A curated list of Facebook bug bounty writeups by various security researchers.🌙

You can contribute to this collection by submitting your own writeup or any others you know of, written in clear and concise English. Your contributions will help others learn from your experiences and improve the security of Facebook's platform.

Table of Contents

• Account Takeovers
• Remove Code Execution
• Two-Factor Authentication Bypass
• Cross-Site Scripting
• Cross-Site Request Forgery
• Server-Side Request Forgery
• Logic Vulnerabilities
• Race Conditions
• Rate Limits
• Open Redirects
• Clickjacking
• Insecure Direct Object Reference
• Privacy/spam
• Page Roles
• Facebook Ads
• Facebook Groups
• Phone Numbers
• Email Address
• BIP Address
• Symlink Attack
• Accellion’s Secure File Transfer
• XXE
• LFI
• SQL Injection
• Jenkins
• API
• GraphQL
• FQL
• Logic Nonces
• OAuth
• Instagram
• Signal
• Slingshot
• Messenger Android
• Moments
• Moves
• WhatsApp
• Workplace
• Whitehat Test Accounts
• Facebook Events
• DoS Attack
• Facebook/Instagram Mobile App
• Extra resources
• Thanks

Account Takeovers

• React debugkeystore key was trusted by Facebook and Oculus domains, leading to account takeover.
• Multiple bugs chained to takeover Facebook Accounts which uses Gmail.
• Account takeover of Facebook/Oculus accounts due to First-Party access_token stealing.
• Multiple bugs chained to takeover Facebook Accounts which uses Gmail.
• Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts.
• More secure Facebook Canvas : Tale of $126k worth of bugs that lead to Facebook Account Takeovers.
• Account takeover of Instagram accounts due to unrestricted permissions of third-party application’s generated tokens.
• Facebook account takeover due to unsafe redirects after the OAuth flow.
• Facebook account takeover due to a wide platform bug in ajaxpipe responses.

Remote Code Execution

• Facebook's imagetragick story.
• Meta's SparkAR RCE Via ZIP Path Traversal .

2FA Bypass

• How I could’ve bypassed the 2FA security of Instagram once again.
• Bypassing 2-Factor Authentication for Facebook Business Manager (Bounty: 1000 USD)

XSS

• XSS in Facebook CDN due to improper filtering of uploaded files extensions

• One-click reflected XSS in www.instagram.com due to unfiltered URI schemes leads to account takeover

• Stored XSS on Facebook.

• Stored XSS on Facebook. thread, POC

• An XSS on Facebook via PNGs & Wonky Content Types

• Ability to upload HTML via SRT caption files for Facebook Videos

• Another xss in facebook.

• Xss in facebook translations

• Lessons from fb security bb program.

• Facebook Bug Bounty 2014, Reflected XSS and Filter Evasion worth $7500.

• Facebook FriendFeed Stored XSS

• Stored XSS on Atlassolutions (Facebook Acquisition)

• Facebooks Boltpeters.com Configuration File Source Code Disclosure Vulnerability

• See The Posts Of A Friend Who Blocked You

• Content Types and XSS in Facebook Studio

• Facebook Fixes Minor Issues

• Facebook XSS Vulnerability

• Stored XSS in Facebook's Custom OpenGraph Action Type

• XSS Vulnerability in Gill.is website

• Stored XSS at Parse

• Reflected XSS in Instagram's Link Shim

• DOM XSS in Facebook Mobile Site/App Login

CSRF

• CSRF in Instagram
• Facebook SMS Captcha was Vulnerable to CSRF Attack
• Facebook Bug Bounty: The Most Severe CSRF Vulnerability (video)
• Invisible Arbitrary CSRF Profile Picture Upload in Facebook
• Facebook CSRF Full Account Takeover
• Facebook Bug Bounty: Secondary Damage (CSRF via XSRF token)
• Facebook CSRF Worth USD 5000
• Hacking any Facebook account - Exploit (PoC)
• Exploiting Facebook's Oculus
• Multiple CSRF vulnerabilities in Facebook Messenger
• Messenger Site-wide CSRF
• FacebookMarketingDevelopers.com: Proxies, CSRF, quandry and API fun!
• Bypassing Facebook CSRF
• How I Bypassed Facebook CSRF in 2016
• Adding Welcome Notes to Facebook Groups using CSRF
• Cross-Site Request Forgery in Facebook
• Facebook Security Bug: CSRF in the Signup Form
• Low Hanging Fruits #4 - Facebook CSRF and more

SSRF

• $10000 Facebook SSRF (Bug Bounty)

Logic

• How I Hacked Facebook Employees Secure Files Server
• Breaking Facebook's Text Captcha
• Business Logic Flaw on Facebook (PoC)
• Edit the Facebook Album Order of Any User
• Missing Authorization Check in Pages Manager
• Facebook: Bypassing prohibit-embedding protection and stealing user data
• Facebook Vulnerability that allows to add almost anyone to any group
• Facebook bug allows to access other users' blocked friend list
• Facebook Unrestricted File Upload to Remote Code Execution
• Facebook Graph API Bug - Disclosing Friends List
• Facebook Checkpoint Bypass

Race conditions

• Race conditions on the web
• Race conditions on Facebook

Rate Limits

• Facebook Bug: PoC ContactPoint Inference
• How I Could Have Hacked Your Facebook Account
• Facebook Account Takeover
• Instagram Account Takeover
• Bug Hunter Discloses Way to Hack Instagram Accounts on Facebook

Open Redirect ($500+)

• Multiple Open Redirection
• Evading Facebook Linkshim
• Multiple Open URL Redirection Vulnerability in Facebook Worth $1500
• Cross-Site Scripting in Facebook Ads Manager
• How I Discovered a $1000 Open Redirect in Facebook

Clickjacking

• How I Got $5000 from Facebook Bug Bounty
• Facebook Bug Bounty: Clickjacking
• Bypassing Facebook's Login Protection

Insecure Direct Object Reference (IDOR)

• Instagram IDOR Bug - $4300
• Disclosing Unconfirmed Email/Phone of a Facebook User
• Hacking Facebook.com/thanks for Posting on Your Wall
• Hijacking a Facebook Account with SMS
• Delete Any Photo from Facebook by Exploiting Support Dashboard
• Removing Covers/Images on Friendship Pages on Facebook
• How I Hacked Your Facebook Photos
• Overwriting/Removing Cover Photos on Facebook Profiles
• Facebook Page Takeover Zero-Day Vulnerability
• Insecure Direct Object Reference (IDOR) in Facebook Groups
• Delete anyone's facebook video
• Posting GIFs as Anyone on Facebook
• Image Removal Vulnerability in Facebook

Privacy/Spam

• This is how I was able to see private archived posts/stories of users on Instagram without following them
• A Facebook Bug That Exposes Email/Phone Number to Your Friends
• This is how I was able to see and delete your private Facebook Portal photos
• Trim private live videos and access them
• Ability to Invite Any User to a Facebook Page (All Non-Friends)
• How I Made $500 USD by Reporting Logical Vulnerability on Facebook
• Facebook User Identification Bug
• Facebook Privacy Bug: View Photos as a Blocked User
• A Bug in Facebook That Violated My Privacy
• The Easiest Bug Bounties I Have Ever Won
• Facebook’s Bug: Fooling Graph Search to Bypass Privacy Restrictions
• Ability to Send Payment Requests Inspite of Being Blocked by the Recipient
• Curiosity and Passion to Your Profession Might Lead to Make Your Dream Come True
• My 2nd Facebook Bounty POC: FB data of birth disclosure
• Silently Using Facebook XMPP
• Find Mingle Suggestions for Any Facebook User
• Find Mingle Suggestions for Any Facebook User Revisited

Page Roles

• How I Was Able to Reveal Page Admin of Almost Any Page on Facebook
• Page Admin Disclosure When Posting a Reel
• How I Could Have Crashed Page Role
• Tag Photos as a Page Analyst
• Using an Analyst Account to Post to Facebook Open Graph Objects
• Like Any Facebook Page as a Page Analyst
• Viewing Payment Information as an Ad Analyst
• View the Job Applications of a Page as an Analyst
• Deactivate Facebook Page Shop as an Analyst
• Create a Product as an Analyst on a Facebook Page Store
• Disclose Users with Roles on Facebook Pages
• Change Trust Project Credibility Indicators as an Analyst
• A Simple Bug on Facebook That Is Worth $8,000
• Using App Ads Helper as an Analytic User

Facebook Ads

• Instagram Ad Account Disclosure
• Facebook Bypass Ads Account Roles
• Ads API Error Leads to Ad Account ID Being Leaked from the Legacy Account ID
• View the Ads Retention Curve Completion Rate for Any Ad Account
• De-Anonymizing Facebook Ads
• Session Expiration Bypass in Facebook Creator App
• Whitehat: Test Accounts can act as Hidden Admin with Business Manager Ad Accounts

Facebook Groups

• Facebook Vulnerability Expose Group Member 3000+
• Facebook Group Members Disclosure
• Group Experts Pending Expertise Request Acceptance Disclosure
• How I was able to post in any Facebook group on behalf of its members
• POC Disclose Members in Any Closed Facebook Group
• $2500 Lakhpati Bug at Facebook: Gaining access to files of a Closed Group
• Get Group's DOC without User Permission: Facebook Graph API Bug
• The group idphotos endpoint isn't obeying the publish_actions and user_groups permission requirement
• Facebook Group Hack - In 2015 I Reported and Got 10,000$
• Missing Functional Level Access Control in Secret Groups

Phone number

• How I Was Able to Remove Your Instagram Phone Number
• Determine a User from a Private Phone Number

Email address

• How I was able to remove your Instagram phone number
• Determine a user from a private phone number
• Confirming any new email address bug in Facebook (Part 4)
• Facebook email disclosure and account takeover
• A Facebook bug that exposes email/phone number to your friends
• Obtaining the primary email address of any Facebook user
• Disclosing the primary email address for each Facebook user
• Facebook invitees email address disclosure
• Facebook Skype-to-Email leak (3000$ bounty)
• View commerce settings and email for any page shop
• View the assigned roles and emails of an Instagram account

BIP address

Facebook Bug:Getting other user's IP address from a Image on Facebook

Symlink Attack

• Reading Local Files from Facebook's Internal Network

Accellion’s Secure File Transfer

How I hacked Facebook and found someone's backdoor script

XXE

• Facebook Remote Code Execution
• Hacked Facebook Word Document

LFI

• Facebook Web Security Bug Bounty: Directory Traversal Vulnerability / RCE In Parse.com

SQLI

• Pupping a shell on the oculus dev portal
• Step by step exploiting sql on fb

Jenkins

• How i hacked facebook jenkins vuln

API

• Facebook Bug:Commenting on non-friends
• Hacking Facebook's Legacy API Part 1: Making Calls on Behalf of Any User
• How I Exposed Your Primary Facebook Photos
• Facebook Insights API Bug
• Facebook v2.0 API Bug: Inconsistencies with App-Scoped IDs
• Bounty leftover part 1
• Paging Cursors Leaking Data in Graph API
• Tagged Places Shouldn't Show Paging Params If No user_tagged_places Granted
• Bypassing appsecret_proof Verification
• Change the Description of a Video Without publish_actions Permission
• Icon Field in Posts Gets access_token Appended
• Reply to a Message Without read_page_mailboxes Permission
• Bypassing Posting to Friends Timelines API Restriction
• How I Exposed Your Private Photos
• Facebook Page Profile Picture Update Requires Neither publish_pages Nor publish_actions
• The Facebook publish_pages Permission is Missing in MeLinks
• Upload Videos Thumbnails with Just public_profile Permission
• Icon Field in Posts Gets access_token Appended
• Modifying Privacy Settings on Facebook Through Graph API
• Show Friends Sharing Precise Locations as a Third-Party Application
• Change Tag Suggestions for Any Facebook User

GraphQL

• GraphQL IDOR in Facebook streamer dashboard
• View the GraphQL stored queries for any application
• Path disclosure in Facebook GraphQL API
• Facebook employees commission splits counts are shown
• Abusing Facebook Graph Search
• My 3rd Facebook Bounty Hat Trick - Chennai TCS-er Name Listed in Facebook Hall of Fame
• Facebook's Bug - Unauthorized Access to Credit Card Details Limited of Any User

FQL

• A Bug Worth $4200
• Facebook Keyword_Insights Bug
• Getting the Username in FQL in 2.0 Applications

Login Nonces

• Stealing messengerlogin nonces

OAuth (AKA Stealing Access Tokens)

• Facebook OAuth Bypass
• Hacking Facebook CSRF Device Login Flow
• Hacking Facebook's Legacy API Part 2: Stealing User Sessions
• A Story of $9,500 Bug in Facebook OAuth 2.0
• Pwning Facebook Authorization through Chrome extension
• Hacking Facebook with OAuth2 and Chrome Extension
• Stealing Facebook Access Tokens using the Facebook OAuth Dialog
• Facebook MailChimp Application OAuth 2.0 Misconfiguration
• Facebook's Parse OAuth Bug
• Facebook Authentication Bug Bounty
• How I hacked Facebook OAuth to get Full Permission Access Tokens
• OAuth 2: How I Have Hacked Facebook Again
• Stealing Facebook Access Tokens with a Double Submit
• Facebook JS Security Issue
• Swiping Facebook Official Access Tokens
• OAuth Token Validation Bug in Facebook
• Bypass OAuth Nonce and Steal Oculus Response Code
• Stealing Facebook MailChimp Application OAuth 2.0 Access Token

Instagram

• One-click reflected XSS in instagram due to unfiltered URI schemes leads to account takeover
• How I found a critical bug in Instagram and got $49,500 bounty from Facebook
• React debug.keystore key was trusted by Instagram’s APK file, leading to Account takeover
• Instagram photo was present in data backup nearly after two years being deleted
• Email confirmation bypass at Instagram
• Instagram-haavoittuvuus antaa kuvat ilman lupaa
• Breaking video calling feature in Instagram app
• Hacked your Instagram account? Here’s how to get it back
• How I found my way into Instagram’s servers
• Instagram's One-Click Privacy Switch
• Facebook BugBounty - Facebook, Instagram - Get someone's phone number with just a Facebook account
• The Tales of a Bug Bounty Hunter: 10 interesting vulnerabilities in Instagram
• How I could compromise 4 locked Instagram accounts
• Instagram Unauthorized Comment Deletion
• InstaBrute: Two Ways to Brute-force Instagram Account Credentials
• Instagram Email Verification Issue
• Find Instagram contacts for any user on Facebook
• Taking over Instagram accounts

Signal

• Getting facebook signal app access token

Slingshot

• Add any facebook user non friend to slingshot without knowing the username

Messenger Android

• Indirect thread deletion vulnerability in Messenger Android
• Session misconfiguration vulnerability in Messenger Android
• Facebook Messenger Server Random Memory Vulnerability

Moments

• Rewriting a photo not owned by the session user in Moments app
• Deleting any Moments app photo or folder not owned by the session user

Moves

• OAuth Cross-Site Scripting vulnerability in Facebook's Moves app

Whatsapp

• Bypassing biometric authentication in WhatsApp using VoIP
• WhatsApp Hacked - Remote Code Execution Vulnerability in WhatsApp Web
• G Suite vulnerability in WhatsApp
• DoS vulnerability in WhatsApp for iOS and Android
• Reading WhatsApp contacts list without unlocking the device

Workplace

• Privilege escalation vulnerability in Workplace
• Facebook Workplace Admin account takeover vulnerability

Whitehat Test Accounts

• Whitehat Test Accounts Can Act as Hidden Admin with Business Manager Ad Accounts
• Ability to find Facebook employee’s test accounts which lead to the disclosure of internal information

Facebook Event

• Irremovable Guest in Facebook Event (Facebook Bug Bounty)

Facebook Business Page

• Hacking Facebook Invoice: How I Could've Bought Anything for Free from Facebook Business Pages

DOS Attack

• Remotely Permanent Crash Any Instagram

Facebook/Instagram Mobile App

• Taking over the Call to Action button on Mobile Devices
• Facebook android webview vulnerability : Execute arbitrary javascript (xss) and load arbitrary website
• Instagram vulnerability : Turn off all type of message requests using deeplink (Android)
• Facebook Messenger for android indirect thread deletion vulnerability.
• Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts
• Location disclosure in Facebook's Nearby Friends feature
• Accessing private videos and photos saved on a device

Some of the extra resources that you may want to look at !!

• Facebook Security Page
• Facebook Bug Bounty Program
• Facebook Bug Bounty Write-ups
• Facebook Security Whitepapers
• Facebook Engineering Blog
• Facebook Open Source Projects
• Facebook CTF Platform
• Facebook Security Tools and Scripts
• Facebook ThreatExchange Platform
• Facebook Security Research Summit
• Facebook Hacking Methods and Tools on GitHub
• Facebook Pentesting on Medium

Thanks

Special Thanks to :-

• @pwnwriter
• @phwd
• Jaiswalakansh
• Facebook BugBounty Group,
• and all the contributors