Introduction: Server-Side Request Forgery (SSRF) is a critical web application vulnerability that can lead to unauthorized access, data leakage, and compromise of internal systems. In this article, we will delve into the detection and mitigation of SSRF vulnerabilities during the early coding cycle. …

Complete Details === I found a CSRF from which we can create a Support ticket with the exact title “Your payouts have been disabled due to suspected fraud” in the victim’s account which may panic victim, but I wanted to report this issue because I think this may have a…

Complete Details === During my investigation, I found that a user’s DTSG token can be exposed to a third-party application because of a broken feature in Facebook’s Creator Studio (Web Version), That broken feature triggers an HTML file download in user’s device, which contains fb_dtsg, hashes, ajaxpipe_token, LoggedIn user details and…

Product Area Pages Complete Details === Facebook allows businesses to sell products on Facebook using their Facebook page & shop feature. In this report, I will demonstrate how a page could have a featured product from another attacker’s page. While initiating this request a user needs “Full permission — Admin”…

Business manager is having an option to add and manage credit cards. However, this functionality is limited to authorized “Admins” of that particular Business. In this report, I will demonstrate how it’s possible to delete saved credit cards, without having an admin or any role in that Victim’s Business. Impact === Victim’s…

Vuln Type Privacy / Authorization Product Area Facebook — Web Complete Details === The analytics tool in Facebook is having an option to create dashboards and the creator can change the privacy of dashboard to “Public” or “Private”. I found that private dashboards can be accessed by other admins of that App…

Again this will be a copy/paste of my whole report nothing fancy gifs and memes in this report 😐 Title Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts. Vuln Type Privacy / Authorization Product Area Facebook — Web Description/Impact Description === Hi Facebook Team, …

A few months back I reported this vulnerability Demoted business admin could apply blocklist to all ad accounts and FB rewarded me 500$ for this Vulnerability. After a little bit of more testing, I noticed I can still apply blocklist with low privileges to all Ad accounts in Business Manager.

Summary: During BountyCon 2019 in Singapore, after getting multiple NA & Informative reports. I was digging Business manager more deeply and I noticed that it was possible to apply block list settings to the all ad accounts in a business manager account by an employee. This writeup contains nothing fancy…