Complete Details
===

I found a CSRF from which we can create a Support ticket with the exact title “Your payouts have been disabled due to suspected fraud” in the victim’s account which may panic victim, but I wanted to report this issue because I think this may have a…


Complete Details
===
During my investigation, I found that a user’s DTSG token can be exposed to a third-party application because of a broken feature in Facebook’s Creator Studio (Web Version), That broken feature triggers an HTML file download in user’s device, which contains fb_dtsg, hashes, ajaxpipe_token, LoggedIn user details and…


Product Area

Pages

Complete Details
===
Facebook allows businesses to sell products on Facebook using their Facebook page & shop feature. In this report, I will demonstrate how a page could have a featured product from another attacker’s page.

While initiating this request a user needs “Full permission — Admin”…


Business manager is having an option to add and manage credit cards. However, this functionality is limited to authorized “Admins” of that particular Business.

In this report, I will demonstrate how it’s possible to delete saved credit cards, without having an admin or any role in that Victim’s Business.

Impact
===
Victim’s…


Vuln Type

Privacy / Authorization

Product Area

Facebook — Web

Complete Details
===
The analytics tool in Facebook is having an option to create dashboards and the creator can change the privacy of dashboard to “Public” or “Private”. I found that private dashboards can be accessed by other admins of that App…


Again this will be a copy/paste of my whole report nothing fancy gifs and memes in this report 😐

Title

Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts.

Vuln Type

Privacy / Authorization

Product Area

Facebook — Web

Description/Impact

Description
===
Hi Facebook Team,


A few months back I reported this vulnerability Demoted business admin could apply blocklist to all ad accounts and FB rewarded me 500$ for this Vulnerability. After a little bit of more testing, I noticed I can still apply blocklist with low privileges to all Ad accounts in Business Manager.


Summary: During BountyCon 2019 in Singapore, after getting multiple NA & Informative reports. I was digging Business manager more deeply and I noticed that it was possible to apply block list settings to the all ad accounts in a business manager account by an employee.

This writeup contains nothing fancy…


Image Credits: Record Future

Ever thought how you are implementing and passing data from the form to your queries? You are doing it dynamically?

Summary: In this writeup, I will explain how I was able to change the user account password without providing the old password. This writeup will be short. …


Hello Bug hunters! This blog post is about Facebook/Workplace security vulnerability. This bug could have exposed user’s sensitive email subjects. You all know what kind of notifications or messages Facebook sends you to your email inbox. The attacker was able to expose these all details with that specific bug.

Image credits: Ask Buddie

These…

Rohit kumar

✌ Startup Enthusiast, Business Minded, Bug Hunter, Programmer, Astrophile, Learner and Genius :D 😅

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store