This post is about an bug that I found on Meta (aka Facebook) which used to find a linked Primary email address of a account using mobile number When Meta announced Contact Point Deanonymization pay-out guidelines I started to search bugs on it. when testing in password reset flow I…

This post is about an bug that I found on Facebook which used to Confirming any email address in new Facebook account by using IP and Account Rotation brute force attack. this post is bypass of my previous write-up → Disable Any Unconfirmed Account in Facebook Vulnerable Endpoint: https://m.facebook.com/confirmemail.php?e=victim@mail.com@&c=15579&report=1&message=1 After…

This post is about to explain how to rotate IP address for each request using Burp Suite. Why IP ROTATION? Mostly these IP Rotation method is used for Web Scraping, Security Testing to bypass IP blocking. What is IP address rotation? IP address rotation is a process where assigned IP addresses are distributed to a device at random…

This post is about an bug that I found on Facebook which used to delete any publicly visible photos by editing the series feature Already a image removal vulnerability was found in same series feature by another researcher Pouya Darabi . …

Reveal the page admin that uploaded a video on the page in comment section This post is about an bug that I found on Facebook which used to disclose the page role person’s User ID when posted a video on comment section of the page. Recently I read a page admin disclosure writeup that was found by Kassem Bazzoun in https://bugreader.com/kbazzoun@221 .That bug Reveal…

This post is about an bug that I found on Facebook which used to Disable any new unconfirmed account in Facebook by using IP Rotation brute force attack. this post is bypass of this write-up → pagefault.me In Facebook if a user Sign-up a new account. 5 digit Verification code…

This post is about an bug that i found on Facebook which used to verify any new Gmail and G-Suite account with minimal Victim’s interaction. When a user create a new Facebook account with Gmail they can confirm the account with two methods. Confirming by entering 5 digit confirmation…

This post is about an bug that i found on Facebook Oculus Application OAuth which could have been used to bypass nonce and steal response_code Recently Facebook made a Oauth login Feature for Oculus. that means the user can directly login to oculus using facebook account.but there is a nonce…

This post is about an bug that i found on Facebook MailChimp Application OAuth 2.0 which could have been used to steal Access_token. and The Source idea for this bug i got from prakharprasad blog post. Facebook Ads Manager can import MailChimp customer data by using OAuth 2.0, to fetch…