This post is about an bug that I found on Facebook which used to delete any publicly visible photos by editing the series feature

Already a image removal vulnerability was found in same series feature by another researcher Pouya Darabi . this writeup is a bypassing the fix in different scenario.

Image for post
Image for post

The series has a option to set photos in Poster Art (Mandatory) and Cover Image as (optional)


Reveal the page admin that uploaded a video on the page in comment section

This post is about an bug that I found on Facebook which used to disclose the page role person’s User ID when posted a video on comment section of the page.

Recently I read a page admin disclosure writeup that was found by Kassem Bazzoun in https://bugreader.com/kbazzoun@221 .That bug Reveal the page admin that uploaded a video on the page feeds and After reading the Write Up then I decided to try if I can bypass the Fix with different scenarios.

The Question Raised in my mind that how Facebook server will validate the Video ID if it is in Different section in pages. …


This post is about an bug that i found on Facebook which used to Disable any new unconfirmed account in Facebook by using IP Rotation brute force attack. this post is bypass of this write-up → pagefault.me

Image for post
Image for post

In Facebook if a user Sign-up a new account. 5 digit Verification code will be send to that corresponding email. but for security reasons victim has a option to disable that Verification code.because attacker can also try to create a new account on behalf victims email.

Vulnerable Endpoint:

https://m.facebook.com/confirmemail.php?e=victim@mail.com@&c=15579&report=1&message=1

But the Rate limit was implemented in this Endpoint. after some certain attempts of brute forcing the 5 digit verification code i got Temporary…


This post is about an bug that i found on Facebook which used to verify any new Gmail and G-Suite account with minimal Victim’s interaction.

Image for post
Image for post

When a user create a new Facebook account with Gmail they can confirm the account with two methods.

  1. Confirming by entering 5 digit confirmation code
  2. confirming by OAuth login.


This post is about an bug that i found on Facebook MailChimp Application OAuth 2.0 which could have been used to steal Access_token. and The Source idea for this bug i got from prakharprasad blog post.

Image for post
Image for post
Mailchip oauth 2.0

Facebook Ads Manager can import MailChimp customer data by using OAuth 2.0, to fetch data to Facebook Ads Manager.The application is a part of MailChimp website and it was developed by Facebook Developers. once the MailChimp user authorises the application, it will send MailChimp data to Facebook Ads Manager.

OAuth Authorisation URL for Facebook Custom Audiences :

Request :

https://login.mailchimp.com/oauth2/authorize?client_id=112041070777&response_type=token&redirect_uri=http://mailchimp-oauth.facebook.com/ads/manage/contact_importer_auth/

Response :

https://mailchimp-oauth.facebook.com/ads/manage/contact_importer_auth/#access_token=4uhbf9d433187acg50mk40cef13ec847&expires_in=0

First i tried to bypass redirect_uri but i can’t. then i tried the same oauth flow when i logged out in Facebook. it force me to login page. …


This Bug is almost similar to my Previous finding.But with different reproduction method.

When my Previous Bug was fixed by Facebook asked me to confirm . so i done all the steps as it is. and in Getting back to Facebook the code parameter was removed.

so i confirmed them the bug has been fixed and got the bounty. after a week i normally checked my testing email i spotted the another automatic mail from Facebook that to Reminder: Confirm your Facebook account for which i created to check the fix for my previous bug.

When i checked the link 5digit OTP code was same as i received in alternative email address. then i started to find the core of the issue. and finally found it. …


This post is about an bug that i found on Facebook which could have been used to confirm any new Email/Mobile Number. The Source idea for this bug i got from josipfranjkovic race condition blog post.

When i was testing in account registration and confirmation flow. i tried to brute force the 5digit OTP code. but after several attempts server blocked me.so i tried to test with different scenario like in the above blog.

i started to change randomly my email and the testing email address. and also tried with different browser when i checked my email noticed that Getting back to Facebook mail but the 5digit code is same as in my testing email address. …


I Recently Found Security Vulnerability In Facebook Which Allows The Admin Of Apps To Add Any User’s Into The Roles Without Their Permissions

Image for post
Image for post

There Are Several Roles In Facebook Apps [ Admins,Developers,Testers,Insight_Users ] That An Admin Can Add The User’s In It With Their Permissions.Each Roles Has Different Type Of Access Click To View.If Admin Add Any User in Roles It Will Send An Invite To The Victim For Confirmation.

About

Lokesh Kumar

Web Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store