Contact Point Deanonymization Vulnerability in Meta

  1. Attacker can easily OSINT the victim email address like mobile number to email address
  2. The password reset endpoint doesn’t require any active sessions so attacker can easily automate this work flow and scrap the data’s in Bulk by just rotating the random mobile numbers using IP rotation
  1. Only masked Email address is returned in password reset page on all Facebook and Workplace domains
  2. Only work account OTP are validated on work.facebook.com

--

--

--

Web Security Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Procedure to Register a Cyber Crime Complaint

What is Zero Trust Security?

{UPDATE} 魔族纪元 Hack Free Resources Generator

How to Implement DDoS Attack Prevention & Mitigation Without Jeopardizing Latency

{UPDATE} Putt Putt Go! Multiplater Golf Game Hack Free Resources Generator

Andrian Lamo :Homeless hacker |scriptkiddie stories

Official $GTFX | BSC Smart Contract Address

A Day in CISO’s Life

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Lokesh Kumar

Lokesh Kumar

Web Security Researcher

More from Medium

fuzzing and credentials leakage..nice bug hunting writeup

Bypassing WAF for $2222

OTP Bypass + PATO = 100 Dollars Bounty

You need to hear this if you are new/want to start bug hunting