Open in app

Sign In

Write

Sign In

Lokesh Kumar
Lokesh Kumar

895 Followers

Home

About

Oct 17, 2022

Facebook SMS Captcha Was Vulnerable to CSRF Attack

This post is about an bug that I found on Meta (aka Facebook) which allows to make any Endpoint as POST request in SMS Captcha flow which leads to CSRF attack. After reporting Contact Point Deanonymization Bug I started to find any way to bypass it in Account recover flow…

Bug Bounty

2 min read

Facebook SMS Captcha Was Vulnerable to CSRF Attack
Facebook SMS Captcha Was Vulnerable to CSRF Attack
Bug Bounty

2 min read


Apr 28, 2022

Contact Point Deanonymization Vulnerability in Meta

This post is about an bug that I found on Meta (aka Facebook) which used to find a linked Primary email address of a account using mobile number When Meta announced Contact Point Deanonymization pay-out guidelines I started to search bugs on it. when testing in password reset flow I…

Meta

3 min read

Contact Point Deanonymization Vulnerability in Meta
Contact Point Deanonymization Vulnerability in Meta
Meta

3 min read


Aug 17, 2021

Confirming any new Email Address bug in Facebook (Part-4)

This post is about an bug that I found on Facebook which used to Confirming any email address in new Facebook account by using IP and Account Rotation brute force attack. this post is bypass of my previous write-up → Disable Any Unconfirmed Account in Facebook Vulnerable Endpoint: https://m.facebook.com/confirmemail.php?e=victim@mail.com@&c=15579&report=1&message=1 After…

Facebook Bug Bounty

3 min read

Confirming any new Email Address bug in Facebook (Part-4)
Confirming any new Email Address bug in Facebook (Part-4)
Facebook Bug Bounty

3 min read


Aug 17, 2021

How to Rotate IP ADDRESS For Each Request in Burp Suite

This post is about to explain how to rotate IP address for each request using Burp Suite. Why IP ROTATION? Mostly these IP Rotation method is used for Web Scraping, Security Testing to bypass IP blocking. What is IP address rotation? IP address rotation is a process where assigned IP addresses are distributed to a device at random…

3 min read

How to Rotate IP ADDRESS For Each Request in Burp Suite
How to Rotate IP ADDRESS For Each Request in Burp Suite

3 min read


Nov 3, 2020

Delete Any Photos In Facebook

This post is about an bug that I found on Facebook which used to delete any publicly visible photos by editing the series feature Already a image removal vulnerability was found in same series feature by another researcher Pouya Darabi . …

Facebook Bug Bounty

2 min read

Delete Any Photos In Facebook
Delete Any Photos In Facebook
Facebook Bug Bounty

2 min read


Nov 2, 2020

Reveal the page admin that uploaded a video on the page in comment section

Reveal the page admin that uploaded a video on the page in comment section This post is about an bug that I found on Facebook which used to disclose the page role person’s User ID when posted a video on comment section of the page. Recently I read a page admin disclosure writeup that was found by Kassem Bazzoun in https://bugreader.com/kbazzoun@221 .That bug Reveal…

Facebook Bug Bounty

3 min read

Reveal the page admin that uploaded a video on the page in comment section
Reveal the page admin that uploaded a video on the page in comment section
Facebook Bug Bounty

3 min read


Nov 21, 2019

Disable Any Unconfirmed Account in Facebook

This post is about an bug that I found on Facebook which used to Disable any new unconfirmed account in Facebook by using IP Rotation brute force attack. this post is bypass of this write-up → pagefault.me In Facebook if a user Sign-up a new account. 5 digit Verification code…

Security

2 min read

Disable Any Unconfirmed Account in Facebook
Disable Any Unconfirmed Account in Facebook
Security

2 min read


Jul 16, 2019

CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook

This post is about an bug that i found on Facebook which used to verify any new Gmail and G-Suite account with minimal Victim’s interaction. When a user create a new Facebook account with Gmail they can confirm the account with two methods. Confirming by entering 5 digit confirmation code …

Security

3 min read

CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook
CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook
Security

3 min read


Nov 7, 2017

Bypass OAuth nonce and steal oculus response code

This post is about an bug that i found on Facebook Oculus Application OAuth which could have been used to bypass nonce and steal response_code Recently Facebook made a Oauth login Feature for Oculus. that means the user can directly login to oculus using facebook account.but there is a nonce…

Oauth

3 min read

Bypass OAuth nonce and steal oculus response code
Bypass OAuth nonce and steal oculus response code
Oauth

3 min read


Nov 7, 2017

Stealing Facebook MailChimp Application OAuth 2.0 Access Token

This post is about an bug that i found on Facebook MailChimp Application OAuth 2.0 which could have been used to steal Access_token. and The Source idea for this bug i got from prakharprasad blog post. Facebook Ads Manager can import MailChimp customer data by using OAuth 2.0, to fetch…

Oauth

2 min read

Oauth

2 min read

Lokesh Kumar

Lokesh Kumar

895 Followers

Web Security Researcher

Following
  • Anand Prakash - PingSafe

    Anand Prakash - PingSafe

  • h4x0r_dz

    h4x0r_dz

  • Shehu Awwal

    Shehu Awwal

  • Akhilesh Yadav

    Akhilesh Yadav

  • Shahmeer Amir

    Shahmeer Amir

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech