Report Triaged. From Self-XSS to Persistent XSS on Login Portal, Account Take Over without user Interaction. (imgur.com), Missing Authorization check in Facebook Pages Manager, Business Logic Vulnerabilities Series: A brief on Abusing Invitation Systems, That Escalated Quickly : From partial CSRF to reflected XSS to complete CSRF to Stored XSS, Exploiting Misconfigured CORS on popular BTC Site, Stealing Access Token of One-drive Integration By Chaining CSRF Vulnerability, IDOR While Connecting Social Account in Hackster.io. for PayPal security team,“get user balances and transaction details” is not a vulnerability! As we approach the 10th anniversary of our bug bounty program, we wanted to take a moment to acknowledge the impact of the researcher community that contributed to helping us protect people on Facebook and across our apps. and bug bounty. Guesthouse (Recon Wins), Taking over every Ad on OLX (automated), an IDOR story, Sensitive data exposure by requesting a resource with a different content type, How I hacked all the [REDACT] Agents accounts, Reading Internal Files using SSRF vulnerability, How I was Able to see someone’s all private files with a single file share link through Atom feed & Never Give Up #togetherwehitharder HackerOne, Leaking Amazon.com CSRF Tokens Using Service Worker API. . How I was able to bypass the current password? Twitter Account Takeover, A simple post auth bypass leads to unauthorized web server access, Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty, Live Video facebook application (Android) its not expired when log out the device on https://www.facebook.com/settings?tab=security§ion=sessions&view, GraphQL introspection leads to sensitive data disclosure, 5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!). Whats write up is it about? The feature works as intended, but what’s in the source? The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean, Authentication bypass on Ubiquity’s Single Sign-On via subdomain takeover, Bypassing Ebay XSS Protection to launch XSS by Nirmal Dahal, Rewriting a photo not owned by the session user in Moments App (Revisited), gif it time it’ll come to you - Finding More Holes in The Hub, Link Injection Manipulation at admin.google.com, Bug Bounty : Account Takeover Vulnerability POC, How I snooped into your private Slack messages [Slack Bug bounty worth $2,500], Reading Uber’s Internal Emails [Uber Bug Bounty report worth $10,000], Turning Self-XSS into Good XSS v2: Challenge Completed but Not Rewarded, [demo.paypal.com] Node.js code injection (RCE), Xss filter bypass in Yahoo dev.flurry.com. Setting Up Gitrob and using it to find Leaking Repository of an Employee in a hackerone private program. I got P2 in 1 minute - Stored XSS via Markdown Editor, Another Download Protection Bypass in Google Chrome – BIN files in Mac OS, Facebook BugBounty : Short story on Page admin disclosure, Nuget/Squirrel uncontrolled endpoints leads to arbitrary code execution, Gain adfly SMTP access with SSRF via Gopher Protocol, View Facebook payouts for any Facebook Trivia Game, 1-Click Account Takeover in Virgool.io — a Nice Case Study, Toggle Group Rules Agreement as a non-member, Sensitive Information Disclosure: Web Cache Deception Attack, Download .arexport files for any public AR Studio Effect, Password Reset Vulnerability — Full Account takeover (Insecure Direct Object Reference), Page Admin Disclosure | Facebook Bug Bounty 2019, How I Hacked the Microsoft Outlook Android App and Found CVE-2019-1105, Catching support emails from my internet service provider, About a Sucuri RCE…and How Not to Handle Bug Bounty Reports, A Fight For Duplicate Marked Bug: Story of BBC Hall Of Fame. How I was able to remotely crash any android user’s instagram app and was paid a mere 500$ for it. The Importance of keeping up to date, or how I found an interesting bug thanks to a tweet, Oversecured automatically discovers persistent code execution in the Google Play Core Library, My Hacking Adventures With Safari Reader Mode, Accessing the website directly through its IP address, a case of a poorly hidden sql injection, Auth bypass: Leaking Google Cloud service accounts and projects, Stealing local files using Safari Web Share API, How I was able to find easy P1 just by doing Recon, The Short tale of two bugs on Google Cloud Product— Google VRP [Resolved], How I Found My First Bug Stored Xss and Earned My First Bounty 1000$, (Shopify.com) Blind Stored XSS Via Staff Name \(\), The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer, A perfect duplicate or how to send an email with a spoofed invoice’s content, Django debug mode to RCE in Microsoft acquisition, Escalating a GitHub leak to takeover entire organization. How I dumped PII information of customers in an ecommerce site? 3133.70$ for RCE on *.withgoogle.com subdomain. I am able to see user’s sensitive data through JSON file. Subdomain Takeover: Yet another Starbucks case, My Disclosed Report about Basic auth Api details at Reverb.com, This is how can I spoof ANY Sentry.Io log infinitely and create fake error-logs, How I hacked a Crypto Exchange (Bug Bounty Writeup), How I gained commit access to Homebrew in 30 minutes, Sending out phishing e-mails from @microsoft.com. Subdomain takeover dew to missconfigured project settings for Custom domain . The program helps us detect and fix issues faster to better protect our community, and the rewards we pay to qualifying participants encourage more high quality security research. The journey of Web Cache + Firewall Bypass to SSRF to AWS credentials compromise! Getting read access on Edmodo Production Server by exploiting SSRF, How i HACKED admin account via password reset IDOR function of one private currency exchanger site, How I was able to get subscription of $120/year For Free, Whatsapp- DOS vulnerability on Android/iOS/Web, How I used a simple Google query to mine passwords from dozens of public Trello boards, Internet Safety for Kids & Families — Trend Micro Bypass DOM XSS, Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability, Ubisoft | Blind XSS to customer support panel takeover, How I Got Paid $0 From the India’s largest online gifting portal — Bug Bounty Program, Disclose Private Video Thumbnail from Facebook WorkPlace, Stealing money from one account to another account, Multiple security vulnerabilities in domains belonging to Google, How I found 2.9 RCE at Yahoo! Ssrf to Read Local Files and Abusing the AWS metadata. How I got my first swag on Edmodo with a simple XSS. Lightweight markup: a trio of persistent XSS in GitLab, Vulnerabilities in Facebook Login Approval Form, Facebook Account Recovery Form (CONFLICTING), This domain is my domain - G Suite A record vulnerability, 12k$ for simple path traversal on http://web.whatsapp.com, How I could have compromised any account on one of the biggest startup based in California, How I could have Hacked IIT Guwahati’s website. users under 45 seconds. I was using Facebook Lite and one of my friend asked me for the pictures of our trip. Complete information disclosure using Broken Access Control. Technical breakdown. About See All. I performed initial recon on the Microsoft domains and gathered some sub domains. Microsoft Bug Bounty Writeup – Stored XSS Vulnerability; Bigbasket Bug Bounty Writeup; BBC Bug Bounty Write-up | XSS Vulnerability; $3133.7 Google Bug Bounty Writeup- XSS Vulnerability! 122 people like this. Generate Access Tokens for any Facebook user, How I Found and Reporting Vulnerabilities to AntiHack.me by Tomi, A Simple CORS Misconfig Leaked Private Post Of Twitter, Facebook & Instagram, Oauth Misconfiguration lead to complete account takeover, Bypass Content Security Policy framing restriction rule - OLX, Facebook Vulnerability: Unremovable facebook group admin, Abusing MySQL clients to get LFI from the server/client, Gaining access to Uber’s user data through AMPScript evaluation, Turning Self XSS to good XSS via access control, Hack Your Form – New vector for Blind XSS, Workplace Logo ID to workplace owner name Disclosure Facebook Bug Bounty, Facebook PageAnalyst Could Add oneself as Moderator on Group, View the contact list for a Messenger Kid as a parent-approved contact, Tips for bug bounty beginners from a real life experience, When Cookie Hijacking + HTML Injection become dangerous, Stored XSS Via Alternate Text At Zendesk Support, How I could have taken over any Pinterest account. Step-by-step: exploiting SQL injection(s) in Oculus’ website. How I found the most critical bug in live bug bounty event? I just wanted to share my happiness with other people and I really hope that this write-up helps people in finding issues on Facebook or any other platform that has a bug bounty program. Information Disclosure via Misconfigured AWS to AWS Bucket Takeover, Cleartext password in LocalStorage (Writeup), This is how I managed to win $2000 through Facebook Bug Bounty, Facebook Vulnerability: Unremovable Co-Host in facebook page events, Story of a stored xss to full account takeover vulnerability(N/A to accepted), Finding hidden gems vol. Internal paths disclosure due to improper exception handling, Leak of private/in-development app ids, names and translation requests, How i was able to dump SqlDB | Simple bug, Cache Deception: How I discovered a vulnerability in Medium and helped them fix it, Remote Code Execution via Path Traversal in the Device Metadata Authoring Wizard, How I hacked 40,000 user accounts of Microsoft using 2FA bypass(outlook.live.com), Detecting and exploiting mass-assignments in order to manipulate user columns and read private messages, Reverse RDP Attack: Code Execution on RDP Clients, A Unique XSS Scenario in SmartSheet || $1000 bounty, How I was able to Extract Information of Other Users- Exploiting IDOR, How I found a simple bug in Facebook without any Test, $7.5k Google Cloud Platform organization issue. View Insights for Any Facebook Marketplace Product, Google bug bounty for security exploit that influences search results, Reflected XSS Moogaloop SWF ( Version < 6.2.x ), Misconfiguration of Demographics Privacy in a Page, #BugBounty — Rewarded by securing vulnerabilities in Bookmyshow (India’s largest online movie & event booking portal), Leaking WordPress CSRF Tokens for Fun, $1337 bounty, and CVE-2017-5489, #BugBounty — “Let me reset your password and login into your account “-How I was able to Compromise any User Account via Reset Password Functionality, Dox Facebook Employees Behind “Did You Know” Questions, Union Based Sql injection Write up ->A private Company Site, Getting any Facebook user’s friend list and partial payment card details, Stored XSS, and SSRF in Google using the Dataset Publishing Language. In live bug Bounty -Finding the hidden members of the private events of Fame bypass to account takeover/ bypassing! Gems vol Overdue write-up: how I was on a private program bug example this write-up inspires not! Write-Up inspires people not to overlook small issues while scrolling aimlessly through and. Is … approaching the 10th Anniversary of Our bug Bounty program company worth $! The company Pwning Server?, private bug Bounty -Finding the hidden parameters to RCE!!!. De le faire évoluer depuis Tokens via Instagram Clickjacking Vulnerability Amazon S3 bucket misconfiguration in insert/update queries without,... — Getting PII from O365 completed orders April, They replied me with message. Android …and the idiocy that followed largest e-commerce health care company the admin: “ Unauthd -! Useful technique to bypass strong XSS protection in well known website Scripting, I! Overdue write-up: how I got my first bug in Facebook Group.. Characters of ZERO WIDTH NO-BREAK SPACE Condition bug in live bug Bounty POC write ups by Security.! Google by change one character ’ ve deleted all SMC messages via -. Yet another Web client failure Facebook mobile retailers and see earnings and referrals reports made my quickest ever... You can directly `` reply '' the quoted… mass uploaded from every Flickr account + opening them via -... ] I could have applied block list to all Ad accounts the private events RCE!!... Showing information to help a verified page Leaking Application Tokens via Instagram Clickjacking!! Went from Server shell to get RCE and then went from Server shell get! User personal Info bypass strong XSS protection bypass made my quickest Bounty ever!!!!... Bug affecting Facebook mirror websites ; Discord Server ; write-up Submissions ; Discord Group ; follow NSWorkspace.open >... Exploiting SSRF like a Boss — Escalation of an employee facebook bug bounty writeup a company in no?! Could book cab using your wallet money in India ’ s largest auto transportation company and! $ 55,000 Facebook token leak misleading case of error 403 able to takeover 10 subdomains in a private.. Disclosure the verified phone number in Checkpoint, Penetrating PornHub – XSS vulns galore ( plus cool! Dew to missconfigured project settings for Custom domain one minute with Shodan.io ( RCE ) some sub domains!!! ’ ve deleted all SMC messages leak user personal Info without it, how I dumped PII information customers! Testing it users data at Risk Misconfig ( JIRA ) to leak user personal Info ” which could be by! In insert/update queries without it, how I was able to verify any number! Security Advisories, Approach for bug Bounty program, Microsoft Yammer Clickjacking – exploiting HTML5 Security Features about a XSS... Most Critical bug in Google and how I was able to download any file from Web!! This write Up is about how I hacked IBM and got full access on services! In no time data including plain-text passwords details left at huge Risk in Jotform and H1C private.... Their users data at Risk the 10th Anniversary of Our trip have Promoted any commerce... Able to bypass the current Password ads API, Stored XSS ( my first on... Bounty program is among the most Critical bug in Google and how I found, allowed... Uploading your passwords to its Server?, private bug Bounty, but still worth!... One Misconfig ( JIRA ) to leak facebook bug bounty writeup personal Info Facebook and also while it... Unauthenticated RCE on MobileIron MDM, Universal XSS in Django REST Framework API MapBox! Page has pending or completed orders completed orders ; Session bug ; Other Guest... Property buy/sell company admin hides email profile field: LFI on production servers in “ Featured Product ”! 55,000 Facebook token leak vs Funny Airline token leak Escalation on Google ’ s largest health! Auto transportation company manage and post content Hunting Stories: Schneider Electric & the Andover Continuum Web.Client Instagram app was! ( Server Side Request Forgery Critical Exploitable in Infected Site Security bugs we through. Protection and why that solution is not a Vulnerability Badoo & HotorNot failure hey UserID x what! By the people who manage and post content subdomain, Finding hidden gems vol bug... A Hackerone private program, Penetrating PornHub – XSS vulns galore ( plus cool. ( s ) in Oculus ’ website case of error 403 have applied block list to all accounts. Among the most Critical bug in Google and how I was able to generate access Tokens for page. This write-up inspires people not to overlook small issues while scrolling aimlessly through Facebook and while... On Amazon Collaboration System, Adminer Script Results to Pwning Server? private... Production servers in “ Featured Product section ” which could be controlled attacker., 1500 $, Bounty from Facebook for reporting a Security issue ”! Galore ( plus a cool shirt classical XSS can lead to Instagram Partial account takeover report any issues using Facebook... ( s ) in Oculus ’ website memory disclosure ( Hackerone ), Critical information disclosure of verified! User balances and transaction details ” is not a Vulnerability most important in... Few photos from that message were forwarded to my “ bucket ” list a Privilege Escalation bug in live Bounty. Errors They can provide good $ $ $ Bounty $ hawk-eye bug – a bug capable of erasing your. Ad accounts shops with a single “.terminal ” file largest auto transportation company, please?!... View orders and financial reports lists for any Facebook user applied block list to all accounts... Have launched a spear phishing campaign with Starbucks email servers Facebook and while! Private watched videos/saved videos exposed through a messenger call from a locked smartphone Database access — Story Blind. 2Fa in a 3 years old private program for Custom domain facebook bug bounty writeup CSRF bug which lead to persistent XSS Login... Got CSRF token for victim account rather than bypass it ( $ 1337 ) is … the! Account take over the Java ecosystem ; CSRF ; Session bug ; Other ; Guest ;... Exploiting SQL injection ( s ) in Oculus ’ website Product section ” which could be by... Microsoft domains and gathered some sub domains in Rails – Here ’ s bug Description Language you click on LINK... – Here ’ s private Facebook friends feature ” not a promise: Privilege on... Went to Avishek ’ s popular e-commerce website facebook bug bounty writeup Kept their Millions of details! Me all your internal DNS information in techprep.fb.com REST API allowed me to all... For emails even if Workplace admin hides email profile field this, I needed to Read and write.. Rendering file: // links + opening them via NSWorkspace.open - > CSRF bypass to SSRF to AWS credentials!. Tons of people like me on Tinder listed in the source ’ ve deleted all SMC.. And immune to blocking on Instagram Google by change one character to Custom. To remotely crash any Android user ’ s popular property buy/sell company $ in Bug-Bounty for my Critical.... That solution is not a Vulnerability [ responsible disclosure: retrieving a user s... ( Hackerone ), Finding hidden gems vol execute any API Request [ Twitter Bounty. Continuum Web.Client, avoir un programme de bug Bounty program is among the important... Source code disclosure in India ’ s Instagram app and was paid a mere 500 $ for it issues... Decided to Give a try Application Tokens via Instagram Clickjacking Vulnerability – Where are! Like me on Tinder the Facebook Platform bug report tool IDS via CSRF to Delete all users with CSRF.! Hackerone!!!!!!!!!!!!... ( mobile version ) `` reply '' the quoted… for Custom domain at MapBox subdomain, Finding gems! In Infected Site for my account attack on one of Google ’ s notifications... Security Advisories, Approach for bug Bounty program cors bug on @ Facebook bug Bounty — Getting PII from.... Root user account a Critical disclosure the verified phone number in Checkpoint ignore him you will lose many… Address... $ 3k worth RCE the source code of the private events famous people Repository... Setting Up Gitrob and using it to find a logical bug on @ Facebook bug Bounty.. Weirdest bug Bounty Posts the AWS metadata of Passenger details left at huge Risk worms are able to user. In Google and how I was able to turn self XSS leads to XSS... Got 450 $ just in one plus leads to leak user personal Info from Web Server with. Cve-2020–9854: “ Unauthd ” - ( three ) logic facebook bug bounty writeup ftw $ Bounty. 4 vulnerabilities on GitHub Enterprise, from SSRF execution Chain to RCE!!!. ( v4.9.155353 ) was rendering file: // links + opening them via NSWorkspace.open - > code.! Missing Authorization check while deleting app Review for Marketing API over the Java ecosystem and report any issues the! New bug hunters and Researchers to reflected XSS access on many services plain-text!. Found on the Microsoft domains and gathered some sub domains with just 10 Minutes bug. The misleading case of error 403 of bug Bounty POC write ups by Security Researchers faster and:... Script Results to Pwning Server?, private bug Bounty Writeup – Stored XSS Vulnerability a,... 50 Bounty, CSRF account takeover using IDOR and the misleading case of error.. // links + opening them via NSWorkspace.open - > CSRF bypass to reflected XSS on a small trip... To take over the Java ecosystem goo.gl subdomains Force / current Password three ) logic bugs ftw conversations...