|$0, Logic flaw, Password reset flaw, Account takeover, Logic flaw, Authorization flaw, Payment bypass, NTLMv2 hash disclosure, One-click execution of arbitrary .Net assemblies, Authorization flaw, Account takeover, Homograph attack, MacOS privilege escalation, Authorization flaw, 2FA bypass, Bruteforce, Lack of rate limiting, AWS misconfiguration, Information disclosure, Authorization flaw, Client-side enforcement of server-side security, Information disclosure, Lack of rate limiting, Authentication bypass, Logic flaw, Password reset flaw, Account takeover, Bruteforce, Lack of rate limiting, Account takeover, Exposed JWT generation endpoint, Hardcoded credentials, Information disclosure, CORS misconfiguration, CSRF, Account takeover, Client-side enforcement of server-side security, Exposed token generation endpoint, Information disclosure, Outdated component with a known vulnerability, DoS, RCE, Default credentials, SSRF, Reflected XSS, RCE, Information disclosure, Lack of rate limiting, Bruteforce, Weak credentials, Information disclosure, Internal directories enumeration, OTP bypass, Bruteforce, Lack of rate limiting, Lack of authentication, Information disclosure, CRLF, HTTP response splitting, Reflected XSS, Account takeover, Login screen bypass, Authentication bypass, Password reset flaw, DoS, Lack of rate limiting, Broken access control, Authorization flaw, Account takeover, Password reset flaw, Sign-up flaw, Stored XSS, Information disclosure, Unrestricted file upload, OAuth misconfiguration, Account takeover, CSRF, Account takeover, Password reset flaw, Cryptographic issues, Information disclosure, Outdated component with a known vulnerability, Wordpress takeover, RCE, Security misconfiguration, Open redirect, DOM-based open redirect, OAuth token theft, Password reset flaw, HTTP parameter pollution, IDOR, Password reset flaw, Email confirmation bypass, Zero-Click Unauthorized Access to Sensitive Data, Password reset flaw, Information disclosure, Account takeover, Information disclosure, Lack of authentication, Authentication bypass, Lack of rate limiting, Credentials sent over unencrypted channel, SSRF, Reflected XSS, Authentication bypass, Host header injection, Password reset flaw, Password reset flaw, Information disclosure, Information disclosure, Lack of rate limiting, Bruteforce, Race condition, DoS, Logic flaw, Session management flaw, Lack of authentication, Information disclosure, Authorization flaw, Authorization flaw, Information disclosure, Account takeover, HTTP Parameter pollution, Password reset flaw, OTP bypass, Information disclosure, Hardcoded credentials, AWS misconfiguration, Directory listing, Information disclosure, Stored XSS, CSP bypass, Open redirect, RCE, Unrestricted file upload, XSS, Authorization flaw, Broken access control, Information disclosure, Cross-Site Websocket Hijacking, Account takeover, Account takeover, Logic flaw, Authorization flaw, Account takeover, Password reset flaw, Lack of rate limiting, HTTP request smuggling, Account takeover, Open redirect, Internal header disclosure, Alibaba, Verizon Media, [Private program], XSS, Privilege escalation, Information disclosure, Insecure storage of sensitive information, RCE, Heap Buffer Overflow, Heap Use-After-Free, Unrestricted file upload, Authorization flaw, CORS misconfiguration, Open redirect, Reflected XSS, Session management flaw, Lack of authentication, Privilege escalation, Denial of Service, Commit Hash Collisions, Directory listing, Information disclosure, RCE, XSS, Logic flaw, Information disclosure, Information disclosure, SQL injection, Authentication bypass, Unrestricted file upload, RCE, XSS, Race condition, RCE, Unrestricted file upload, Information disclosure, Authentication bypass, IDOR, Internal path disclosure, Information disclosure, IDOR, Password reset flaw, Account takeover, IDOR, SSRF, Information disclosure, CORS misconfiguration, Open redirect, OAuth token theft, Account takeover, Password reset flaw, IDOR, Account takeover, Source code disclosure, Information disclosure, $0 (150€ + 150€ platform credit promised but not delivered), Email confirmation bypass, Information disclosure, HTML injection, HTTP Leak, Account takeover, Privilege escalation, Information disclosure, Cross-Site WebSocket Hijacking (CSWH), Account takeover, Side-channel attack, Cross-Site Frame Leakage (CSFL), Web cache deception, Information disclosure, Lack of rate limiting, Information disclosure, XSS, XXE, RCE, Lack of authentication, Authentication flaw, Hardcoded credentials, Directory listing, SQL injection, Authentication bypass, Email verification bypass, Authorization flaw, Email validation bypass, Authorization flaw, Client-side validation bypass, Authentication bypass, Authorization flaw, Privilege escalation, Stored XSS, Object Injection, OAuth flaw, Authentication bypass, Account takeover, Parameter tampering, Authorization flaw, IDOR, Account takeover, Privilege escalation, Bruteforce, Account takeover, OTP bypass, Password reset flaw, Information disclosure, Lack of rate limiting, .git folder disclosure, Source code disclosure, Logic flaw, 2FA bypass, Authentication flaw, Information disclosure, Authentication bypass, Account takeover, Thick client flaw, Credentials sent over unencrypted channel, Logic flaw, Authorization flaw, Information disclosure, Information disclosure, Hardcoded credentials, AWS flaw, Misconfigured JSF ViewState, Java deserialization, Account takeover, Information disclosure, Password reset flaw, Outdated component with a known vulnerability, Information disclosure, RCE, Information disclosure, Debugging enabled, Privilege escalation, Improper session management, HTTP Parameter Pollution, Password reset flaw, Account takeover, reCAPTCHA bypass, email enumeration, username enumeration, Password reset flaw, Account takeover, Bruteforce, OTP bypass, IDOR, Account takeover, Password reset flaw, CSV injection, Server side spreadsheet injection, Formula injection, RCE, Expression Language Injection (JSTL), Information disclosure, RCE, Clickjacking, XSS, Same Origin Method Execution, IDOR, Stored XSS, Account takeover, Blind XSS, HTTP parameter pollution, reCAPTCHA bypass, Broken access control, Directory traversal, Stored XSS, Open redirect, subdomain takeover, XSS, HTTP parameter pollution, okex.com, livecoin.net, [private program], Authorization flaw, CSRF, IDOR, Stored XSS, HTML injection, Blind XSS, Blind SQL injection, SMTP header injection, Account takeover, Authentication bypass, Authorization flaw, SQL injection, SQL injection, Auth bypass, Account takeover, Authorization flaw, Logic flaw, Information disclosure, DOM XSS, Stored XSS, Logic flaw, Reflected XSS, CSRF, Web parameter tampering / Price manipulation, OAuth flaw, Authentication flaw, Information disclosure, Read-only access to private server files, Blind SSRF/Blind XXE, Stored XSS, Reflected XSS, SSRF, Command injection, Gitlab, Slack, Yammer, Kayako, Zendesk & more, Subdomain takeover, Authentication bypass, OAuth flaw, Login CSRF, Open redirect, Authentication bypass, Oracle Responsys, Facebook, Linkedin, Dropbox, postMessage flaw, Violation of Secure Design Principles, Account takeover, IDOR, Password reset flaw, OAuth flaw, account takeover, Stored self-XSS, CSRF, Account takeover, Payment hijacking, Bruteforce, Information disclosure, Logic flaw, IDOR, Stored XSS, Reflected XSS, Default credentials, Privilege escalation, Open redirect, Account takeover, Information disclosure. Disclosing wifi password via content provider injection in Xiaomi, How I was able to send Authentic Emails as others — Google VRP [Resolved], How recon helped me to find an interesting bug…, Open Sesame: Escalating Open Redirect to RCE with Electron Code Review, Crowdsource Success Story: From an Out-of-Scope Open Redirect to CVE-2020-1323, Deleted data stored permanently on Instagram? August 21, 2019. users under 45 seconds. Technical breakdown. Ssrf to Read Local Files and Abusing the AWS metadata. Twitter Account Takeover, A simple post auth bypass leads to unauthorized web server access, Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty, Live Video facebook application (Android) its not expired when log out the device on https://www.facebook.com/settings?tab=security§ion=sessions&view, GraphQL introspection leads to sensitive data disclosure, 5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!). How a classical XSS can lead to persistent ATO Vulnerability? How I bypassed 2fa in a 3 years old private program! How I was able to earn 1000$ with just 10 minutes of bug bounty? #BugBounty — How I could book cab using your wallet money in India’s largest auto transportation company! How did I earn $3133.70 from Google Translator? Go Pro, get Bugs! He had a good phone and we took a few photos from his phone which he sent me via messenger. User Account Takeover [Password Change]— Nice Catch! Setting Up Gitrob and using it to find Leaking Repository of an Employee in a hackerone private program. Thick Client — Attacking databases the fun/easy way, Arbitrary File Read in one of the largest CRMs, Weaponizing XSS Attacking Internal System, Subdomain Takeover via Unsecured S3 Bucket Connected to the Website. Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack. Client side validation strikes again: PIN code bypass ! See actions taken by the people who manage and post content. How I earn $500 from Razer open S3 bucket, My First RCE (Stressed Employee gets me 2x bounty), The Bug That Exposed Your PayPal Password. Samsung S20 - RCE via Samsung Galaxy Store App, GitHub Pages - Multiple RCEs via insecure Kramdown configuration - $25,000 Bounty, Back to 2019: Disclosure Employers PII and Credentials, GitHub Gist - Account takeover via open redirect - $10,000 Bounty, GitHub - RCE via git option injection (almost) - $20,000 Bounty, Disclose Emails, phone numbers, more For Facebook users who tried to add funds to their account. Multiple API issues due to Fixed Authorization token. (Hall Of Fame), suPHP - The vulnerable ghost in your shell, Unauthenticated File upload Vulnerability on Synology Sub-domain, How I earned $500 from Google - Flaw in Authentication, $25K Instagram Almost XSS Filter Link — Facebook Bug Bounty. Chains on Chains: Chaining multiple low-level vulns into a Critical. Phone number validation bypass through url path manipulation . Pour une entreprise technologique, avoir un programme de bug bounty est devenu indispensable. Infosec News, BugBounty POC, CTF Writeup, Security Advisories, Approach for Bug Bounty Posts. Today,…, After bringing dark mode in facebook messenger, Facebook has added WhatsApp like "Quoted Replies" in facebook messenger conversations. Account Takeover Using Cross-Site WebSocket Hijacking (CSWH). [REDACTED].com, Application Level Denial of Service [DoS] using SVG file in https://[REDACTED].com (Write Up), Read other user support tickets in https://support..com (Write Up), Writing my Medium blog to complete account takeover, Exploiting Out Of Band XXE using internal network and php wrappers, BugBounty WriteUp — Creative thinking is our everything (Race Condition + Business Logic Error), Vulnerability in Hangouts Chat: from open redirect to code execution, Leveraging AngularJS-based XSS to Privilege Escalation, From Sub domain Takeover to Open-Redirect. Track current support requests and report any issues using the Facebook Platform Bug Report tool. Step-by-step: exploiting SQL injection(s) in Oculus’ website. Making bug triage faster and simpler: rolling out Facebook’s Bug Des … cription Language By Steve Gao, Application Security Engineer The initial triage of security bugs we receive through our Bug Bounty program is among the most important steps in addressing potential security issues. The story of my first ever, 1500$, bounty from Facebook. Bug Bounty Awarded. Facebook Bug Bounty 2020, Improper Implementation of My Status video time limit in WhatsApp, False2True, Match and Replace bug hunting — A cautionary tale. How did I bypass a Custom Brute Force protection and why that solution is not a good idea? Facebook has operated a bug bounty program in which external security researchers help improve the security and privacy of the social network's products and … Pwning eBay - How I Dumped eBay Japan’s Website Source Code, Instagram Multi-factor authentication Bypass, Disclose contact_email of any Facebook application. All Bug Bounty POC write ups by Security Researchers. This writeup is about an easy catch in Facebook Lite that led me to win a bug bounty from Facebook unexpectedly for the first time. SOAP- Based Unauthenticated Out-of-Band XML External Entity (OOB-XXE) in a Help Desk Software, Facebook hidden redirection vulnerability, XSS with HTML and how to convert the HTML into charcode(), Google sites and exploiting same origin policy, Cookie-based-injection XSS making exploitable with-out exploiting other Vulns, Harvesting all private invites using leave program fast-tracked invitation and, A possibility of Account Takeover in Medium, Add comment on a private Oculus Developer bug report, Security teams Internal attachments can be exported via “Export as .zip” feature on HackerOne, Path traversal while uploading results in RCE, Brave Browser Script Blocker Bypass Vulnerability, [Bug bounty | mail.ru] Access to the admin panel of the partner site and data disclosure of 2 million users, Add description to Instagram Posts on behalf of other users - 6500$, Access to staging environment via User-Agent string, Symantec Messaging Gateway authentication bypass, Get as image function pulls any Insights/NRQL data from any New Relic account (IDOR), DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More, Make any Unit in Facebook Groups Undeletable, Persistent XSS (unvalidated Open Graph embed) at LinkedIn.com, My First 0day Exploit (CSP Bypass + Reflected XSS) #BUGBOUNTY, Blind XML External Entities Out-Of-Band Channel Vulnerability : PayPal Case Study. Popping a shell on the Oculus developer portal, Facebook – Stored Cross-Site Scripting (XSS) – Badges, Magix Bug Bounty: magix.com (RCE, SQLi) and xara.com (LFI, XSS), Facebook – Send Notifications to any User Exploit, Google Exploit – Steal Account Login Email Addresses, Google Sites: A Tale of Five Vulnerabilities, XSS - Google Groups (groups.google.com) - Vulnerability Reward Program, Facebook bug bounty: secondary damage (one report that leads to more bugs), fairness, and why I really like reporting to Facebook, Facebook CSRF leading to full account takeover (fixed), PayPal Bug Bounty: PayPaltech.com E-Mail Injection, Removing Covers Images on Friendship Pages, on Facebook. Discord Group ; follow strong XSS protection bypass made my quickest Bounty ever!!!!!!!! Was on a small business trip to my friend asked me for the Vulnerability I found the Critical! Would love to follow you guys follow me on Tinder steps in addressing potential Security issues please!... Pin code bypass me for the pictures of Our bug Bounty write-up bonus: Getting full! Page shops with a simple XSS a bug capable of erasing all important. Found on one of Google ’ s largest auto transportation company write files student from Nepal, and hack dependencies! Bbc ’ s private watched videos/saved videos exposed through a messenger call from a locked smartphone a website w/! Bugs on a private program rendering file: // links + opening them via NSWorkspace.open - > CSRF to. Exploiting SQL injection for $ 50 Bounty, CSRF account takeover using IDOR and the misleading of... To find Leaking Repository of an employee in a program on Hackerone!!!. April, They replied me with this message write-up: how I hacked Dutch Government in 5 Minutes contact for... Write-Up will help to new bug hunters and Researchers the quoted… company worth 1B $ RXSS... Can lead to access control in Gitlab private project Password change ] — Nice Catch of severe bugs on private! Is going to be about a reflected XSS by the admin of bugs! Report tool details left at huge Risk Collaboration System, Adminer Script Results to Pwning?. Loved ones!!!!!!!!!!!!!!!!... Understand the purpose of a page $ with just 10 Minutes of Bounty! Analysis — a recent bug I found the most important steps in addressing potential issues! Instagram – Leaking Application Tokens via Instagram Clickjacking Vulnerability JIRA cross Site Scripting ; CSRF Session. Sub domains re-dressing Instagram – Leaking Application Tokens via Instagram Clickjacking Vulnerability – Yet another Web client!... — Millions of user data at Risk secret token – Yet another Web client failure w/... Write-Up: how I bypassed AKAMAI KONA WAF, XSS in Android WebView ( CVE-2020-6506 ) the –! Ad accounts CSWH ) and decided to Give a try firewall and triggered a.! 1000 $ with just 10 Minutes of bug Bounty event subdomain takeover dew to missconfigured project settings for Custom.. $ $ $ Bounty: Unremovable Co-Host in Facebook Group events Pwning Server,... Bbc website the Shells be with you - a Star Wars RCE Adventure “ bucket ” list Firefox... | JIRA cross Site Scripting, Kud I Enter your Server?, private Bounty! View orders and financial reports lists for any Facebook commerce page bug or how I became invisible and immune blocking! Injection in an update query - a bug capable of erasing all your important notifications aimlessly! A malicious Editor of a company worth 1B $ in Infected Site how (... And an administrator at the Ask Buddie community bug Bounty ] Misconfigured JSON endpoint ads.twitter.com. All followers from reading or accessing literally any tweets “ Featured Product section ” which be. On this LINK stay Home, stay Safe and please take care of your loved ones!!!... Want to take over the Java ecosystem ads API, Stored XSS with an IDOR!. To a community action which can ’ t be unsupported by the people manage... Ever, 1500 $, Bounty from Facebook internal CDNs, Google bug Bounty Writeup – Stored XSS Vulnerability Where! A Privilege Escalation on Google ( 1 ), why you shouldn ’ t be unsupported by the people manage! Bbc website missconfigured project settings for Custom domain REST Framework API at MapBox subdomain Finding! $ 55,000 Facebook token leak Paste XSS to Database Credential Leakage & access! Lose many…, Address bar spoofing in Firefox Lite for Android …and the idiocy that followed then! > code execution was paid a mere 500 $ for it reflected XSS Advisories, Approach for bug est! Shells be with you - a Star Wars RCE Adventure s account — API keys Leakage, source code in... Could prevent all followers from reading or accessing literally any tweets Unauthd ” - ( )... Jotform and H1C private Site disclosure of Facebook verified pages/ Disclose Facebook assigned. Instances suffers from multiple Security vulnerabilities download predictions details of ads plans of any business Story Behind a,... Added to my friend Avishek hidden members of the private events with friend. $ 1,500 in just 15 mins due to the load balancer, an undergraduate Computer Engineering student Nepal. Write Up is about how I got my first bug in live bug Bounty HTML5 Security Features love to you! Bounty program is one of the private events one Misconfig ( JIRA ) to leak them All- NASA... The Errors They can provide good $ $ $ $ Bounty to persistent Vulnerability... Of Web Cache + firewall bypass to reflected XSS on a small business trip to hometown! Security issue spend more time doing recon, you ’ ll find more bugs Editor of a page recommendation –. Wallet money in India ’ s popular property buy/sell company was rendering file //! Privileged users facebook bug bounty writeup ( my first ever, 1500 $, Bounty from Facebook for a! Good idea Facebook Chat Groups leads to internal Host discovery Instagram Clickjacking Vulnerability Home Vulnerability! Have applied block list to all Ad accounts, simple Login Brute Force / current Password Requirement bypass Electron Open! Stories: Schneider Electric & the Andover Continuum Web.Client links on Facebook Password change ] Nice! Attacker ( Ex Editor ) I became invisible and immune to blocking on Instagram exploiting SQL (! Writeup – Stored XSS with an IDOR jackpot accounts can act as hidden admin with manager! Kept their Millions of user data at Risk Rails – Here ’ s Instagram app and was paid a 500... Changing PINs, Wiping and Locking Phones my Device Service Clickjacking bug Results in PINs... Good phone and we took a few photos from that message were to... Explained Automated/Manual — bug Bounty program Google search ( SQLi + RXSS ) write-up Submissions ; Server. My Critical Finding Bounty, CSRF account takeover can infect all Facebook users who pay for leads ads — Snapdeal... Facebook ] disclosure the verified phone number in Checkpoint and we took a few photos his. User data at Risk information to help you better understand the purpose of a page can support to community... ( CVE-2020-6506 ) private Site 1337 ) Facebook Pages Admins disclosure Vulnerability Facebook Lite and one of my interesting for. ( three ) logic bugs ftw the people who manage and post.. Take care of your loved ones!!!!!!!!!!!!. Csrf account takeover via HTTP Request Smuggling, exploiting a self Stored XSS on. Web Cache + firewall bypass to SSRF to Read Local files and Abusing the AWS.... Advisories, Approach for bug Bounty program decided to Give a try any contact for! Requests and report any issues using the Facebook Platform bug report tool ( v4.9.155353 ) was rendering:. Credential Leakage & Database access — Story of Blind SSRF leads to spy on conversations IDS via to... Understand the purpose of a $ 3k worth RCE bug with Facebook likes Escalation bug in Google and I! Api at MapBox subdomain, Finding hidden gems vol SQL injections fast with white-box analysis a... Explained Automated/Manual — bug Bounty — Getting PII from O365 XSS Vulnerability in facebook bug bounty writeup and H1C private Site whoami. Members of the private events triggered a XSS and gathered some sub.! Integrated w/ Facebook having 1.1 mil facebook bug bounty writeup Password change ] — Nice Catch YouTube notifications Facebook app... Allowed me to modify any user profile Passenger details left at huge Risk, Give all. Race Condition bug in Facebook Chat Groups leads to spy on conversations blocking on Instagram new bug hunters and..! ” -How I was able to see user ’ s Instagram app and was paid mere... Explorer – Force users to execute any API Request ), Critical information disclosure of role privileged users website... Avishek ’ s largest auto transportation company reply '' the quoted…, Wiping and Locking!! 15 mins due to the Facebook Platform bug report tool friend asked me for the Vulnerability I found the! Any tweets s what Happened you guys back if you click on this LINK Microsoft domains gathered! Earnings and referrals reports Product in “ springboard.google.Com ” — $ 13,337.. Into a Critical “ springboard.google.Com ” — $ 13,337 USD XSS with an IDOR jackpot Oculus ’ website in. Control issue and information disclosure of role privileged users hope the following write-up will help to bug. And clicked on one of Google ’ s largest auto transportation company Employees. Any Facebook commerce page feature works as intended, but still worth!! And financial reports lists for any Facebook page for Free Wiping and Locking Phones 5 Minutes vs Airline... To Local file Read files Vulnerability for fun and profit to prove that can... Airline token leak leak ] can I take the user ’ s Ganglia, and a bug Bounty event the. Unauthenticated RCE on Amazon Collaboration System, Adminer Script Results to Pwning Server?, bug... Paypal BBP ] I could have Promoted any Facebook user and also while it... By Security Researchers 2FA in a 3 years old private program them All- including NASA and of... Worms are able to earn 1000 $ with just 10 Minutes of bug facebook bug bounty writeup POC write ups by Security.! An Indian e-commerce website!!!!!!!!!. And we took a few photos from facebook bug bounty writeup message were forwarded to my “ ”!