Facebook Bug Bounties Backup

Facebook Bug Bounties 2014年10月14日 09:52 Last updated 14 October 2017 Corrections/Additions: https://m.me/113702895386410 ImageTragick http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html XSS https://whitton.io/articles/xss-on-facebook-via-png-content-types/ http://philippeharewood.com/ability-to-upload-html-via-srt-caption-files-for-facebook-videos/ http://www.breaksec.com/?p=5713 http://www.nirgoldshlager.com/2013/01/another-stored-xss-in-facebookcom.html https://nealpoole.com/blog/2011/03/xss-vulnerability-in-facebook-translations/ https://nealpoole.com/blog/2011/08/lessons-from-facebooks-security-bug-bounty-program/ http://paulosyibelo.blogspot.com/2014/07/the-unseen-facebook-bug-bounty-2014-x.html https://prakharprasad.com/facebook-friendfeed-stored-xss/ http://medu554.blogspot.com/2014/02/stored-xss-on-atlassolutions-facebook.html http://blog.ptsecurity.com/2013/10/a-story-about-xss-on-facebook.html https://www.youtube.com/watch?v=NQOK9-OXwsc (http://pastebin.com/raw.php?i=cuYRhM71) http://www.websecresearch.com/2014/02/facebooks-boltpeterscom-configuration.html http://nbsriharsha.blogspot.in/2014/03/finally-facebook-hunted.html https://whitton.io/articles/content-types-and-xss-facebook-studio/ http://en.internetwache.org/facebook-fixes-minor-issues-02-05-2014/ http://silentzzz.blogspot.com/2007/11/facebook-xss-vulnerability.html http://habrahabr.ru/company/pt/blog/247709/ https://web.archive.org/web/20120416034642/http://gill.is/2012/04/11/new_website http://www.paulosyibelo.com/2015/12/facebooks-moves-oauth-xss.html https://dr4cun0.com/blog/stored-xss-at-parse/ https://web.archive.org/web/20160724215405/http://ameeras.me/Instagram-Reflected-XSS-in-Link-Shim/ https://twitter.com/opnsec/status/855076273395204097 CSRF http://www.breaksec.com/?p=6192 (https://vimeo.com/65453658) http://www.sneaked.net/invisible-arbitrary-csrf-profile-picture-upload-in-facebook http://pyx.io/blog/facebook-csrf-leading-to-full-account-takeover http://josipfranjkovic.blogspot.com/2013/11/facebook-bug-bounty-secondary-damage.html http://ceukelai.re/?p=35 http://amolnaik4.blogspot.com/2012/08/facebook-csrf-worth-usd-5000.html https://web.archive.org/web/20160110053958/http://www.dan-melamed.com/2013/06/hacking-any-facebook-account-exploit-poc.html http://www.paulosyibelo.com/2015/01/facebooks-oculus-exploiting.html http://blog.mazinahmed.net/2015/06/facebook-messenger-multiple-csrf.html https://whitton.io/articles/messenger-site-wide-csrf/ http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/ https://pouyadarabi.blogspot.com/2015/04/bypass-facebook-csrf.html https://pouyadarabi.blogspot.com/2016/05/how-i-bypassed-facebook-csrf-in-2016.html http://niyaax9.blogspot.com/2016/04/facebook-csrf-adding-welcome-notes-to.html https://medium.com/@zahidali_93675/cross-site-request-forgery-in-facebook-86087201d8c SSRF https://dr4cun0.com/blog/ssrf-at-update-subscription-menu/ Logic http://www.nirgoldshlager.com/2013/01/how-i-hacked-facebook-employees-secure.html http://pwndizzle.blogspot.in/2014/07/breaking-facebooks-text-captcha.html http://bugbountypoc.com/business-logic-flaw-facebook-poc/ http://philippeharewood.com/edit-the-facebook-album-order-of-any-user/ http://bugbountypoc.com/missing-authorization-check-in-pages-manager/ https://immukul.blogspot.in/2017/04/facebook-bypassing-prohibit-embedding.html https://www.youtube.com/watch?v=Qu_A_s0LLbs https://www.youtube.com/watch?v=jxH1yyhCe_k https://www.youtube.com/watch?v=YFmvlInx4IQ https://www.youtube.com/watch?v=j_KiiiYpl4w http://www.aryansinha.com/2017/08/facebook-checkpoint-flaw.html https://www.facebook.com/Drix17/videos/vb.100006854167318/1799639230274532/?type=2&theater Race Conditions https://www.josipfranjkovic.com/blog/race-conditions-on-web http://josipfranjkovic.blogspot.com/2015/04/race-conditions-on-facebook.html Rate Limits http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html http://arunsureshkumar.me/index.php/2016/04/24/facebook-account-take-over/ http://xss001.blogspot.in/2016/05/instagram-account-takeover.html http://techmedia.com.ng/2016/05/21/bug-hunter-dislcoses-way-hack-instagram-accounts-facebook/ http://www.kieranclaessens.be/uncategorized/facebook-text-message-actions-pincode-bruteforce/ Open Redirect ($500+) http://thekaitokid.blogspot.com/2014/10/multiple-open-redirection.html http://mreagle0x.blogspot.com/2014/11/bypassing-facebook-linkshim-filtration.html http://arulxtronix.blogspot.in/2013/08/facebook-open-url-redirectors-2013.html http://www.vulnerability-lab.com/get_content.php?id=975 http://yassineaboukir.com/blog/how-i-discovered-a-1000-open-redirect-in-facebook/ Clickjacking http://codegrudge.blogspot.in/2015/03/how-i-got-5000-from-facebook-bugbounty.html http://www.paulosyibelo.com/2015/03/facebook-bug-bounty-clickjacking.html http://www.lachisterablanca.com/2014/02/bypass-de-la-proteccion-contra.html Object Reference ($12500+) http://www.anandpraka.sh/2014/11/hacking-facebookcomthanks-posting-on.html http://blog.fin1te.net/post/53949849983/hijacking-a-facebook-account-with-sms https://web.archive.org/web/20130903203919/http://arulxtronix.blogspot.com/2013/09/delete-any-photo-from-facebook-by.html https://whitton.io/articles/removing-covers-images-on-friendship-pages-on-facebook/ http://www.7xter.com/2015/02/how-i-hacked-your-facebook-photos.html http://roy-castillo.blogspot.com/2016/02/overwritingremoving-cover-photos-on.html https://blog.getwhitehats.com/a-simple-bug-on-facebook-that-is-worth-8000-6701787e1dbc http://arunsureshkumar.me/index.php/2016/09/16/facebook-page-takeover-zero-day-vulnerability/ http://russellaurio.blogspot.com/2016/11/insecure-direct-object-reference-idor.html Privacy/Spam ($1500+) http://philippeharewood.com/ability-to-invite-any-user-to-a-facebook-page-all-non-friends/ http://sweethacking.blogspot.com/2014/11/how-i-made-500-usd-by-reporting-logical.html http://patorjk.com/blog/2013/03/01/facebook-user-identification-bug/ http://allanjaydumanhug.ninja/blog/facebook-privacy-bug-view-photos-as-a-blocked-user/ https://abhartiya.wordpress.com/2014/12/23/a-bug-in-facebook-that-violated-my-privacy/ http://josipfranjkovic.blogspot.com/2015/07/the-easiest-bug-bounties-i-have-ever-won.html http://www.pranavhivarekar.in/2016/02/20/facebooks-bug-fooling-graph-search-to-bypass-privacy-restrictions/ https://abhartiya.wordpress.com/2016/02/08/ability-to-send-payment-requests-inspite-of-being-blocked-by-the-recipient/ https://medium.com/@rajsek/curiosity-and-passion-to-your-profession-might-lead-to-make-your-dream-come-true-7d9be3c6029a https://medium.com/@rajsek/my-2nd-facebook-bounty-poc-fb-data-of-birth-disclosure-d02e1bec50 https://dr4cun0.com/blog/silently-using-facebook-xmpp/ http://philippeharewood.com/find-mingle-suggestions-for-any-facebook-user/ http://philippeharewood.com/find-mingle-suggestions-for-any-facebook-user-revisited/ https://medium.com/@armaanpathan/idor-was-leading-to-privilege-escalation-and-violating-the-facebook-policy-355c67c654e6 Page Roles http://whitehatstories.blogspot.in/2017/09/how-i-could-have-crashed-page-role.html http://philippeharewood.com/tag-photos-as-a-page-analyst/ http://philippeharewood.com/using-an-analyst-account-to-post-to-facebook-open-graph-objects/ http://philippeharewood.com/like-any-facebook-page-as-a-page-analyst/ http://philippeharewood.com/viewing-payment-information-as-an-ad-analyst/ http://philippeharewood.com/view-the-job-applications-of-a-page-as-an-analyst/ http://philippeharewood.com/deactivate-facebook-page-shop-as-an-analyst/ http://philippeharewood.com/create-a-product-as-an-analyst-on-a-facebook-page-store/ Facebook Ads https://pouyadarabi.blogspot.com/2015/03/facebook-bypass-ads-account-roles.html http://philippeharewood.com/ads-api-error-leads-to-ad-account-id-being-leaked-from-the-legacy-account-id/ http://philippeharewood.com/view-the-ads-retention-curve-completion-rate-for-any-ad-account http://philippeharewood.com/de-anonymizing-facebook-ads/ Facebook Groups http://thesecuritynews.com/project/how-i-was-able-to-post-in-any-facebook-group-on-behalf-of-its-members/ https://www.facebook.com/notes/$2500-lakhpati-bug-at-facebook-gaining-access-to-files-of-a-closed-group/686615161373797 https://medium.com/@rahulmfg/get-groups-doc-without-user-permission-facebook-graph-api-bug-5f19367373a2 http://philippeharewood.com/the-group-idphotos-endpoint-isnt-obeying-the-publish_actions-and-user_groups-permission-requirement/ http://zappstiko.blogspot.com/2017/02/facebook-group-hack-in-2015-i-reported.html Phone number https://medium.com/@neerajedwards/how-i-was-able-to-remove-your-instagram-phone-number-d346515e79c3 http://philippeharewood.com/determine-a-user-from-a-private-phone-number/ Email address http://stephensclafani.com/2013/07/09/obtaining-the-primary-email-address-of-any-facebook-user/ http://www.dawgyg.com/2016/12/21/disclosing-the-primary-email-address-for-each-facebook-user/ http://fogmarks.com/2016/04/03/facebook-invitees-email-addresss-disclosure/ http://blog.internot.info/2014/05/facebook-skype-to-email-leak-3000-bounty.html http://philippeharewood.com/view-commerce-settings-and-email-for-any-page-shop/ http://philippeharewood.com/view-the-assigned-roles-and-emails-of-an-instagram-account/ IP address http://asad0x01.blogspot.com/2017/05/facebook-buggetting-other-users-ip.html Symlink Attack http://josipfranjkovic.blogspot.com/2014/12/reading-local-files-from-facebooks.html Accellion’s Secure File Transfer http://blog.orange.tw/2016/04/bug-bounty-how-i-hacked-facebook-and-found-someones-backdoor-script.html XXE http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution http://attack-secure.com/hacked-facebook-word-document/ LFI http://www.websecuritylog.com/2014/10/facebook--bug-bounty.html?spref=tw SQLi https://bitquark.co.uk/blog/2014/08/31/popping_a_shell_on_the_oculus_developer_portal http://josipfranjkovic.blogspot.com/2014/09/step-by-step-exploiting-sql-injection.html Jenkins http://blog.dewhurstsecurity.com/2014/12/09/how-i-hacked-facebook.html API http://asad0x01.blogspot.com/2017/05/facebook-bugcommentingon-non-friends.html http://stephensclafani.com/2014/07/08/hacking-facebooks-legacy-api-part-1-making-calls-on-behalf-of-any--user/ http://roy-castillo.blogspot.com/2013/07/how-i-exposed-your-primary-facebook.html http://philippeharewood.com/facebook-insights-api-bug/ http://philippeharewood.com/facebook-v2-0-api-bug-inconsistencies-with-app-scoped-ids/ http://intothesymmetry.blogspot.in/2014/09/bounty-leftover-part-1.html http://philippeharewood.com/paging-cursors-leaking-data-in-graph-api/ http://philippeharewood.com/tagged-places-shouldnt-show-paging-params-if-no-user_tagged_places-granted/ http://philippeharewood.com/bypassing-appsecret_proof-verification/ http://philippeharewood.com/change-the-description-of-a-video-without-publish_actions-permission/ http://philippeharewood.com/icon-field-in-posts-gets-access_token-appended/ http://philippeharewood.com/reply-to-a-message-without-read_page_mailboxes-permission/ http://philippeharewood.com/bypassing-posting-to-friends-timelines-api-restriction/ http://www.7xter.com/2015/03/how-i-exposed-your-private-photos.html http://philippeharewood.com/facebook-page-profile-picture-update-requires-neither-publish_pages-nor-publish_actions/ http://philippeharewood.com/the-facebook-publish_pages-permission-is-missing-in-melinks/ http://philippeharewood.com/upload-videos-thumbnails-with-just-public_profile-permission/ http://philippeharewood.com/icon-field-in-posts-gets-access_token-appended/ https://web.archive.org/web/20160202160841/http://www.secinfinity.net/modifying-privacy-settings-on-facebook-through-graph-api/ http://philippeharewood.com/show-friends-sharing-precise-locations-as-a-third-party-application/ http://philippeharewood.com/change-tag-suggestions-for-any-facebook-user/ http://philippeharewood.com/detailed-information-for-all-facebook-native-applications-as-a-non-employee/ http://philippeharewood.com/send-a-location-ping-to-facebook-friends-using-only-public_profile-as-a-third-party-app/ http://philippeharewood.com/third-party-developer-access-to-facebook-captcha-challenges/ http://philippeharewood.com/vault-images-can-be-published-by-third-party-applications/ http://philippeharewood.com/deleting-a-vault-image-makes-data-available-to-third-party-applications/ http://philippeharewood.com/determine-the-number-of-friends-added-for-any-facebook-user/ http://philippeharewood.com/determine-if-any-two-users-are-friends-without-user_friends-permission/ http://philippeharewood.com/determine-if-any-two-users-are-friends-without-user_friends-permission-revisited/ http://philippeharewood.com/creation-of-a-scrapbook-invalidates-the-privacy-set-for-a-non-user-family-member/ http://philippeharewood.com/bypassing-posting-to-friends-timelines-api-restriction-revisited-in-photos/ http://philippeharewood.com/add-a-user-to-the-list-of-facebook-contacts/ http://thesecuritynews.com/project/accessing-the-number-of-active-users-of-any-application http://philippeharewood.com/view-instant-articles-traffic-lift-for-any-page/ http://philippeharewood.com/view-the-owned-test-users-for-facebook-employees/ GraphQL http://philippeharewood.com/view-the-graphql-stored-queries-for-any-application/ http://philippeharewood.com/path-disclosure-in-facebook-graphql-api/ http://philippeharewood.com/facebook-employees-commission-splits-counts-are-shown/ http://philippeharewood.com/abusing-facebook-graph-search/ https://medium.com/@rajsek/my-3rd-facebook-bounty-hat-trick-chennai-tcs-er-name-listed-in-facebook-hall-of-fame-47f57f2a4f71 https://pranavhivarekar.in/2017/02/11/facebooks-bug-unauthorized-access-to-credit-card-details-limited-of-any-user/ FQL https://filippo.io/a-bug-worth-4200$/ http://philippeharewood.com/facebook-keyword_insights-bug/ http://philippeharewood.com/getting-the-username-in-fql-in-2-0-applications/ Login Nonces https://stephensclafani.com/2017/03/21/stealing-messenger-com-login-nonces/ OAuth (AKA Stealing Access Tokens) https://www.josipfranjkovic.com/blog/hacking-facebook-csrf-device-login-flow http://stephensclafani.com/2014/07/29/hacking-facebooks-legacy-api-part-2-stealing-user-sessions/ http://isciurus.blogspot.ru/2013/04/a-story-of-9500-bug-in-facebook-oauth-20.html http://isciurus.blogspot.ca/2012/09/pwning-facebook-authorization-through.html http://homakov.blogspot.ca/2013/02/hacking-facebook-with-oauth2-and-chrome.html http://blog.bentkowski.info/2014/09/in-this-post-ill-explain-to-you.html https://prakharprasad.com/facebook-mailchimp-application-oauth-2-0-misconfiguration/ http://medu554.blogspot.com/2013/08/facebooks-parse-oauth-bug.html http://www.nirgoldshlager.com/2013/03/how-i-hacked-any-facebook-accountagain.html http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html http://intothesymmetry.blogspot.in/2014/04/oauth-2-how-i-have-hacked-facebook.html http://blog.fin1te.net/post/47882639723/stealing-facebook-access-tokens-with-a-double http://prosecco.gforge.inria.fr/CVE/Facebook_JS_2012.html http://philippeharewood.com/swiping-facebook-official-access-tokens/ http://whitehatstories.blogspot.in/2017/05/oauth-token-validation-bug-in-facebook.html Instagram http://www.iltalehti.fi/digi/2016050221506011_du.shtml https://viaforensics.com/mobile-security/hacked-your-instagram-account.html http://josipfranjkovic.blogspot.com/2013/07/how-i-found-my-way-into-instagrams.html http://www.breaksec.com/?p=6164 http://insertco.in/2014/02/10/how-i-hacked-instagram/ http://blog.fin1te.net/post/65636287908/instagrams-one-click-privacy-switch http://samanfatahpour.blogspot.com/2014/10/facebook-bugbounty-facebook-instagram.html https://www.arneswinnen.net/2016/02/the-tales-of-a-bug-bounty-hunter-10-interesting-vulnerabilities-in-instagram/ https://www.arneswinnen.net/2016/03/how-i-could-compromise-4-locked-instagram-accounts/ http://mohankallepalli.blogspot.com/2016/04/instagram-unauthorized-comment-deletion.html https://www.arneswinnen.net/2016/05/instabrute-two-ways-to-brute-force-instagram-account-credentials/ http://bugdisclose.blogspot.in/2017/04/instagram-email-verification-issue.html http://philippeharewood.com/find-instagram-contacts-for-any-user-on-facebook/ Signal http://philippeharewood.com/getting-facebook-signal-app-access-token/ Slingshot http://philippeharewood.com/add-any-facebook-user-non-friend-to-slingshot-without-knowing-the-username/ Moments http://philippeharewood.com/rewriting-a-photo-not-owned-by-the-session-user-in-moments-app/ http://philippeharewood.com/delete-any-moments-app-photo-or-folder-not-owned-by-the-session-user/ Moves http://www.paulosyibelo.com/2015/12/facebooks-moves-oauth-xss.html Whatsapp https://immukul.blogspot.in/2016/11/whatsapp-hacked.html http://blog.pentestnepal.tech/post/156707088037/i-got-emails-g-suite-vulnerability https://medium.com/@vishnu0002/whatsapp-dos-vulnerability-in-ios-android-d896f76d3253