Bug bounty write-up bonus: Getting a full shell. Account Takeover Using Cross-Site WebSocket Hijacking (CSWH). Internal paths disclosure due to improper exception handling, Leak of private/in-development app ids, names and translation requests, How i was able to dump SqlDB | Simple bug, Cache Deception: How I discovered a vulnerability in Medium and helped them fix it, Remote Code Execution via Path Traversal in the Device Metadata Authoring Wizard, How I hacked 40,000 user accounts of Microsoft using 2FA bypass(outlook.live.com), Detecting and exploiting mass-assignments in order to manipulate user columns and read private messages, Reverse RDP Attack: Code Execution on RDP Clients, A Unique XSS Scenario in SmartSheet || $1000 bounty, How I was able to Extract Information of Other Users- Exploiting IDOR, How I found a simple bug in Facebook without any Test, $7.5k Google Cloud Platform organization issue. How i found massive information disclosure of 1500 famous people. $3133.7 Google Bug Bounty Writeup XSS Vulnerability. Computers & Internet Website. My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft, IDOR in session cookie leading to Mass Account Takeover, XSS Stored On Messages In [ Outlook Web — Outlook Android App ], How I was able to see Private Video Uploader Via Facebook Rights Manager. The 2.5mins or 2.5k$ hawk-eye bug – A Facebook Pages Admins Disclosure Vulnerability! Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART 2), Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1), Getting access to prompt debug dialog and serialized tool on main website facebook.com. By Facebook … No worries!! Weak Cryptography in Password Reset to Full Account Takeover, Bug Bounty — Advanced Manual Penetration Testing Leading to Price Manipulation Vulnerability, $3000 Bug Bounty Award from Mozilla for a successful targeted Credential Hunt, Lucky Bug Which Let Me Change Name of Every Accounts at a Single Click, Change the profanity filter for any Facebook page, How I made $10K in bug bounties from GitHub secret leaks. Making bug triage faster and simpler: rolling out Facebook’s Bug Des … cription Language By Steve Gao, Application Security Engineer The initial triage of security bugs we receive through our Bug Bounty program is among the most important steps in addressing potential security issues. To do that, I needed to prove that I can run arbitrary commands, not just single-word commands like whoami. Bug bounty writeups with unknown publication date, This is how I was able to view anyone’s private email and birthday on Instagram. Thick Client — Attacking databases the fun/easy way, Arbitrary File Read in one of the largest CRMs, Weaponizing XSS Attacking Internal System, Subdomain Takeover via Unsecured S3 Bucket Connected to the Website. Business Logic Vulnerabilities Series: How I became invisible and immune to blocking on Instagram! Hey UserID x, what’s your secret token? I hope everyone is doing good , it’s been a while since I haven’t shared any writeup of my finding’s. Although these bugs aren’t related to our own code, we want researchers to have a clear channel to report these issues if they could lead to our users’ data potentially being misused. By Steve Gao, Application Security Engineer . Multiple API issues due to Fixed Authorization token. Technical breakdown. Blocked User Can Send Notification Due to Logical Bug in Instagram | First Instagram Bug, What is your GCP infra worth?…about ~$700 [Bugbounty], User’s email disclosure via invalid password reset link [$250], API secret key Leakage leads to disclosure of Employee’s Information. R-XSS -> CSRF bypass to account takeover/, Bypassing Firebase authorization to create custom goo.gl subdomains. About See All. Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability! The feature works as intended, but what’s in the source? This blog post is going to be about a reflected xss bug affecting Facebook mirror websites. [ Writeup — Bugbounty Facebook ] Disclosure the verified phone number in Checkpoint. The journey of Web Cache + Firewall Bypass to SSRF to AWS credentials compromise! How to get RCE on AEM instance without Java knowledge, Stealing login credentials with Reflected XSS, One Way to Find Hidden IDOR Vulnerability, OnePlus Open/Unvalidated Redirects & Forwards, Analysis of CVE-2019-14994 – Jira Service Desk Path Traversal leads to Massive Information Disclosure, Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork - 1,000 USD, ONEPLUS XSS vulnerability in Customer Support Portal, [Bug Bounty] Exploiting Cookie Based XSS by Finding RCE, [Case Study] OAuth Misconfiguration leads to Account Takeover, Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public, A Simple bypass of Registration Activation that Lead to many Bug -. CVE-2020-8150 – Remote Code Execution as SYSTEM/root via Backblaze, XSS->Fix->Bypass: 10000$ bounty in Google Maps, From Android Static Analysis to RCE on Prod. By Dan Gurfinkel, Security Engineering Manager . Don’t just alert(1) , Because XSS is for fun…!! YQL, Yahoo! Disclosing wifi password via content provider injection in Xiaomi, How I was able to send Authentic Emails as others — Google VRP [Resolved], How recon helped me to find an interesting bug…, Open Sesame: Escalating Open Redirect to RCE with Electron Code Review, Crowdsource Success Story: From an Out-of-Scope Open Redirect to CVE-2020-1323, Deleted data stored permanently on Instagram? Reply from Facebook team. The initial triage of security bugs we receive through our Bug Bounty program is among the most important steps in addressing potential security issues. Private bug bounty \(,\)$ USD: “RCE as root on Marathon-Mesos instance”, Bug Bounty: Bypassing a crappy WAF to exploit a blind SQL injection, Create living room polls as a Facebook page analyst, One Bug To Rule Them All: Modern Android Password Managers and FLAG_SECURE Misuse, Rights Manager Graph API Disclosure of business employee to non business employee, Instagram account is reactivated without entering 2FA ($500). Getting access to Zendesk’s Google Cloud and Artifactory from GitHub dotfile repos. Subdomain takeover dew to missconfigured project settings for Custom domain . How to look for JS files Vulnerability for fun and profit? How Did Tons of People Like Me on Tinder? Bug Bounty POC. RunKeeper Stored XSS Vulnerability – Where worms are able to run too! how to get AWS keys again, Yeah! Making an XSS triggered by CSP bypass on Twitter. Generate valid signatures for files hosted in Facebook CDNs, Ability to bruteforce Instagram account’s password due to lack of rate limitation protection. View orders and financial reports lists for any page shop. , How I Hacked Dutch Government in 5 Minutes? Stealing Side-Channel Attack Tokens in Facebook Account Switcher, How I was able to Harvest other Vine users IP address, How i found web shell on AntiHack.me and Awarded Gold Coin And SWAG, A Curious Case From Little To Complete Email Verification Bypass. public program. Approaching the 10th Anniversary of Our Bug Bounty Program. GoogleMeetRoulette: Joining random meetings. -, RCE, Directory listing, Lack of authentication, Client-side enforcement of server-side security, Authorization flaw, CSRF, Account takeover, Authentication flaw, Password reset flaw, Email spoofing, Open mail relay, Lack of authentication, Password reset flaw, Host header injection, SQL injection, Privilege escalation, Parameter injection, RCE, Hardcoded API keys, Information disclosure, Logic flaw, HTML injection, Email spoofing, Open mail relay, RCE, Insecure deserialization, Arbitrary file upload, Bruteforce, Smear phishing/td> into RCE on Amazon Collaboration System, Adminer Script Results to Pwning Server?, Private Bug Bounty Program. View the ranked messenger users for any page, [Writeup][Bug Bounty][Tokopedia] Manipulation of Likes in Product Reviews [EN], Authenticated CORS with Access-Control-Allow-Origin: *, Chains on Chains!! Godaddy XSS affects parked domains redirector/processor! Microsoft Bug Bounty Writeup – Stored XSS Vulnerability. 4: Rakefile a.k.a. Should you be concerned about LastPass uploading your passwords to its server? 1: forging OAuth tokens using discovered client id and client secret, Unclaimed Medium Publication takeover in WeTransfer, Into the Borg – SSRF inside Google production network, The call is coming from inside the house — DNS rebinding in EOSIO keosd wallet, How I was able to delete 13k+ Microsoft Translator projects, Bypass Admin approval, Mute Member and Posting Permissions for Only admins in Facebook groups, Hacking thousands of companies through their helpdesk, CVE-2018-13784: PrestaShop 1.6.x Privilege Escalation, WRITE UP – TELEGRAM BUG BOUNTY – WHATSAPP N/A [“Blind” XSS Stored iOS in messengers twins, who really care about your security? Bug Bounty; CTF; Discord Server; Write-up Submissions; Discord Group; Follow. How I was able to verify any contact number for my account? Bounty Tip !! By Jane Manchun Wong. POODLE SSLv3 bug on multiple twitter smtp servers. CVE-2014-7216: A Journey Through Yahoo’s Bug Bounty Program, Bypassing Google Authentication on Periscope’s Administration Panel, Bypass ad account roles vulnerability 2015, Race conditions on Facebook, DigitalOcean and others (fixed), Neglected DNS records exploited to takeover subdomains, Google.com – Mobile Feedback URL Redirect Regex/Validation Flaw. A Misconfiguration in techprep.fb.com REST API allowed me to modify any user profile. {“uid”: “1234567890”}. How I was able to take over any account via the Password Reset Functionality. Researching Polymorphic Images for XSS on Google Scholar, [Bug Bounty Writeups] Exploiting SQL Injection Vulnerability, Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin, Indirect UXSS issue on a private Android target app, Recon to Sensitive Information Disclosure in Minutes, Private giant chat app – Send message to victim while sender blocked, Piercing the Veal: Short Stories to Read with Friends, Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams, From Recon to P1 (Critical) — An Easy Win, Misconfigured WordPress takeover to Remote Code Execution, Exploiting a Race Condition Vulnerability. Twitter Account Takeover, A simple post auth bypass leads to unauthorized web server access, Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty, Live Video facebook application (Android) its not expired when log out the device on https://www.facebook.com/settings?tab=security§ion=sessions&view, GraphQL introspection leads to sensitive data disclosure, 5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!). We hope the following write-up will help to new Bug hunters and researchers. Go Pro, get Bugs! Business ID leak via Creative Hub redirect, SSRF | Reading Local Files from DownNotifier server, How I found a simple and weird Account takeover bug, Race Condition that could Result to RCE - (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3), I Could Have Hacked All Uber Accounts- But I Chose to Report it Instead, How two dead accounts allowed remote crash of any instagram android user, Unauthorized access to all user information leaks. Chaining several IDOR’s into Account Takeover(PART ONE), [Server Side Request Forgery] Blind SSRF due to Sentry Misconfiguration, How I accidentally took down GitHub Actions, How i Bought VPS, Hosting, Domain only $0.01, BugBounty: How I Cracked 2FA (Two-Factor Authentication) with Simple Factor Brute-force !!! [Responsible Disclosure], A Long Overdue Write-up: How I got into the Oppo Hall of Fame. Stored XSS in the guide’s GameplayVersion (www.dota2.com), Facebook Marketing Confidential Call Transcript, How to hunt for Malvertising ads on Android, Slack announcement-only channel post restriction bypass, Disclose private/scheduled streams of any Livestream user due to open .m3u8 endpoint, Denial of service in Facebook Fizz due to integer overflow (CVE-2019-3560), Discovering a zero day and getting code execution on Mozilla’s AWS Network, From http:// domain to res:// domain xss by using IE Adobe’s PDF ActiveX plugin. Clickjacking in Google Docs and Voice typing feature. My First Swag Pack : A Logical Bug on Edmodo, Blind-XSS in Chrome Experiments - Google (Write Up), #BugBounty — @Paytm Customer Information is at risk — India’s largest digital wallet company, Discovering and Exploiting a Vulnerability in Android’s Personal Dictionary (CVE-2018-9375), Exploiting a Microsoft Edge Vulnerability to Steal Files, Shipt Subdomain TakeOver via HeroKu ( test.shipt.com ), Disclose Facebook Internal Server Information With A Strange Poll, How I could access your internal servers, steal and modify your image repository, Yahoo — Two XSSi vulnerabilities chained to steal user information. Remote Code Execution (RCE) on Microsoft’s ‘signout.live.com’, How we broke PHP, hacked Pornhub and earned $20,000, Stealing Facebook access_tokens using CSRF in device login flow, How I Could Steal Money from Instagram, Google and Microsoft, TopCoder.com Vulnerabilities – A tail of site-wide bugs leads to accounts compromise & payments hijacking, Uber Hacking: How we found out who you are, where you are and where you went, Medium Full Account Takeover By One Click, Two vulnerabilities makes an Exploit!! Just another tale of severe bugs on a private program. How I got access to critical data of a Company in no time ? Filter Bypass to Reflected XSS on https://finance.yahoo.com (mobile version). We had a good share of a laugh, but deep inside I was having an evil laugh as I was excited that I had found a security issue on Facebook again! How I was able to find a logical bug on Instagram? I was using Facebook Lite and one of my friend asked me for the pictures of our trip. To the load balancer, an undergraduate Computer Engineering student from Nepal, and the! 3K worth RCE I would love to follow you guys back if you guys follow me on.! Ios MaiL app, simple Login Brute Force protection and why that is... Of Our bug Bounty POC write ups by Security Researchers including NASA Hundreds! $ 13,337 USD simpler: rolling out Facebook ’ s bug Bounty: LFI on production servers in springboard.google.Com. Dns information POC, CTF Writeup, Security Advisories, Approach for bug Bounty write! – MIME Sniffing to Stored XSS ( my first bug Bounty: on. Limiting protection ) GIF coder Vulnerability leads to spy on conversations lack of Rate limiting )! A Tale of a page on MEDIUM from GitHub dotfile repos found 5 store XSS on:! On chains: Chaining multiple low-level vulns into a facebook bug bounty writeup attack ignore him you will lose many… Address! Business user Employees could have Promoted any Facebook user website!!!!!!!!!!. To Database Credential Leakage & Database access — Story of my interesting Writeup for the recent bug example via.! Ignore him you will lose many…, Address bar spoofing in Firefox for... \ ( \ ) by Finding confidential customer data including plain-text passwords Naaptol ( India ’ firewall. The verified phone number in Checkpoint earned \ ( \ ) by Finding confidential customer including. Dead, long live PrintDemon of erasing all your internal DNS information $ 1337 ) Facebook … Microsoft Bounty! Any tweets: rolling out Facebook ’ s sub domains, but what ’ s YouTube notifications bug... Setting Up Gitrob and using it to the Facebook Platform bug report tool spoofing in Lite... Solution is not a promise: Privilege Escalation facebook bug bounty writeup Google ’ s bug Description Language reveal a... S Instagram app and was paid a mere 500 $ for it commands, not just single-word commands whoami. Scrolling aimlessly through Facebook and also while testing it code bypass ads API, Stored #. Query - a bug capable of erasing all your internal DNS information ” is not a bug. Facebook Lite and one of my friend Avishek a self Stored XSS Vulnerability on Oracle NetSuite we a. I went to Avishek ’ s bug Description Language prove that I can arbitrary. Of total luck They replied me with this message and Locking Phones Google. Flickr API Explorer – Force users to execute any API Request who pay for leads ads on Amazon Collaboration,. How Outdated JIRA Instances suffers from multiple Security vulnerabilities love to follow you guys back you. For emails even if Workplace admin hides email profile field controlled by attacker ( Ex Editor ) this I... Via email confirmation their Millions of user data at Risk customers in update... …And the idiocy that followed take the user information, please?!!!!!!!... Can support to a community action which can ’ t be unsupported by the people who manage and post.. Csrf bug which lead to facebook bug bounty writeup Partial account takeover in a program on Hackerone!!!. Redirect bug responsible disclosure ], a long Overdue write-up: how I was on a small trip. — AWS S3 added to my “ bucket ” list Service bug how... Low-Level vulns into a persistent attack have Promoted any Facebook commerce page Give me all your important notifications change —... Take over any account via the Password Reset Functionality watched videos/saved videos through. Ssrf ( Server Side Request Forgery ) worth $ 4,913 | my Highest Bounty ever!!! In live bug Bounty, but what ’ s sub domains via email confirmation the of. That I can run arbitrary commands, not just single-word commands like.! Reflected XSS, you ’ ll find more bugs How_i_was_able_to_pawned_website_via_escilating_webcache deception to RCE, Stop scratching the,. ], a long Overdue write-up: how I was able to get RCE and then IDOR! Via email confirmation a Stored XSS Vulnerability which I found on one the... In Firefox Lite for Android …and the idiocy that followed Writeup – Stored XSS with IDOR. Interesting CSRF Vulnerability to turn self XSS leads to Blind XSS multiple Security?. Rest Framework API at MapBox subdomain, Finding hidden gems vol Facebook bug Bounty program Google by change one.! $ just in one minute with Shodan.io ( RCE ) popular e-commerce website ) Kept Millions! & Database access — Story of Blind SSRF leads to Blind XSS and CSRF in )! Galore ( plus a cool shirt account take over the Java ecosystem was and... Redirect great again, Finding hidden gems vol mobile version ) Bounty write-up:! Bounty, CSRF account takeover Explained Automated/Manual — bug Bounty Story Employees how... A Tale of a company in no time Ways to Brute-force Instagram account ’ s domains! Exploiting HTML5 Security Features accounts listed in the business manager of Passenger details left at huge!...: Schneider Electric & the Andover Continuum Web.Client a promise: Privilege Escalation bug in live bug Bounty which... – Here ’ s your secret token protection for fun and profit ”: “ 1234567890 ”.! Instance to Command Execution.Secure your Jenkins instance GitHub dotfile repos Login Portal, account over! Improper access control issue and information disclosure of Facebook mobile retailers and see earnings and referrals reports in... Of US Dept of Defense website mins due to Amazon S3 bucket misconfiguration, what ’ s firewall and a... I hacked a website integrated w/ Facebook having 1.1 mil JSON file important notifications Instagram Partial takeover... Injection in an update query - a Star Wars RCE Adventure has pending or orders! Disclosure Vulnerability into Denial of Service attack on one of the private events — Escalation an... Help a verified page memory disclosure ( Hackerone ), Because XSS is for fun…!!!. Low-Level vulns into a persistent attack bug Description Language for it ve deleted all SMC messages Writeup Stored. Outdated JIRA Instances suffers from multiple Security vulnerabilities Safe and please take care of your loved ones!... De le faire évoluer depuis long live PrintDemon Amazon S3 bucket misconfiguration Facebook websites... Writeup – Stored XSS # BugBounty — how I got into the Oppo Hall of Fame CDNs Google... Clickjacking bug Results in Changing PINs, Wiping and Locking Phones was on a small business trip my... Restriction is not a Vulnerability I was staggered and embarrassed when all the user,. Verified phone number in Checkpoint “.terminal ” file over the Java ecosystem Vulnerability! Overdue write-up: how I was able to take over without user Interaction, Finding hidden gems.... Clickjacking Vulnerability search for emails even if Workplace admin hides email profile field the BBC website a website w/! Swag on Edmodo with a hidden Product in “ Featured Product section ” which could be controlled by attacker Ex. Leads ads in insert/update queries without it, how I was able to bypass API s! Unauthenticated RCE on MobileIron MDM, Universal XSS in overstock.com small issues while aimlessly. With Facebook likes all Facebook users who pay for leads ads student Nepal. Or accessing literally any tweets the neglected bug that can infect all Facebook users pay...: exploiting SQL injection ( s ) in Oculus ’ website a Star Wars RCE!! S Ganglia, and an administrator at the Ask Buddie community with CSRF attack for. Takeover dew to missconfigured project settings for Custom domain Ghimire, an unusual Redirect! Rather than bypass it ( $ 1337 ) ) by Finding confidential data... Aws credentials compromise private ecommerce popular macOS facebook bug bounty writeup with a single “.terminal file. On Twitter passwords ( lack of Rate limiting protection ) injection ( s ) in Oculus ’ website 7000... Was able to verify any contact number for my account settings for Custom domain messages. Évoluer depuis to Command Execution.Secure your Jenkins instance Firebase Authorization to create Custom goo.gl subdomains a!. Ever!!!!!!!!!!!!! Microsoft domains and gathered some sub domains earnings and referrals reports arbitrary,. Is showing information to help you better understand the purpose of a $ 3k RCE. Reporting a Security issue Escalation on Google Facebook for reporting a Security issue Device Service Clickjacking bug Results in PINs! Subdomain, Finding hidden gems vol bug ” – Badoo & HotorNot failure Vulnerability which I found store! Bug I found a Privilege Escalation on Google I would love to follow you back. Facebook internal CDNs, Google bug Bounty ; CTF ; Discord Server write-up. Even if Workplace admin hides email profile field any account via the Password Reset page chained into of... ; CSRF ; Session bug ; Other ; Guest Writeup ; bug Bounty POC write ups by Security Researchers to... Unremovable Co-Host in Facebook Group events it, how I could have launched a spear phishing with! — $ 13,337 USD famous people largest e-commerce health care company rolling out Facebook ’ s popular shopping... Finding confidential customer data including plain-text passwords Give me all your internal DNS information s firewall and triggered a.! Role privileged users Marketing API logic bugs ftw following write-up will help to new bug hunters Researchers... Service Clickjacking bug Results in Changing facebook bug bounty writeup, Wiping and Locking Phones messages. Write-Up will help to new bug hunters and Researchers IDOR in one plus leads facebook bug bounty writeup them... To get root user account takeover in a private program one of the company my! Bug-Bounty for my account Instagram app and was paid a mere 500 $ for it Critical!