Scribd
Upload
666 views16 pages

Bug Bounty Writeups

This document provides links to writeups of security issues reported to Facebook through their bug bounty program. It includes over 50 links organized by categories like business logic issues, XSS vulnerabilities, CSRF, privacy issues, and more. The document aims to compile writeups from various security researchers that detail technical exploits found on Facebook's platforms.

Uploaded by

ANJAL
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
666 views16 pages

Bug Bounty Writeups

This document provides links to writeups of security issues reported to Facebook through their bug bounty program. It includes over 50 links organized by categories like business logic issues, XSS vulnerabilities, CSRF, privacy issues, and more. The document aims to compile writeups from various security researchers that detail technical exploits found on Facebook's platforms.

Uploaded by

ANJAL
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Some of the great writeups on Facebook bug bounty!

All these writeups were compiled by @phwd. A very special thanks to him.

Business Logic

https://www.facebook.com/groups/bugbountygroup/permalink/912689175794578/?hc_location=ufi

https://bugreader.com/kbazzoun@138

https://bugreader.com/kbazzoun@146

https://bugreader.com/godzkid@149

https://bugreader.com/majd@159

https://bugreader.com/majd@bypass-the-allow-message-replies-setting-in-instagram-158

https://bugreader.com/vivekps143@164

https://medium.com/@saugatpokharel/cannot-revoke-session-on-messenger-for-kids-facebook-bug-bo
unty-2020-9505ca201ec7

https://medium.com/@yaala/bypassing-message-request-inbox-cf54f859dd25

https://medium.com/@kishoretk/how-i-was-able-to-see-identity-of-a-private-video-up-loader-via-rights
-manager-responsible-39d996517b6e

https://medium.com/@rohitcoder/idor-delete-saved-credit-cards-from-any-business-manager-account-f
28c773982eb

https://bugreader.com/social/100833

https://ysamm.com/?p=460

https://ysamm.com/?p=450

https://philippeharewood.com/disclose-commerce-manager-users

https://medium.com/@yaala/malicious-user-can-access-to-rooms-chat-in-facebook-by-brute-forcing-ids
-informative-7b11259f60fe

https://blog.easysiem.com/application-security/case-study-i-browser-anomaly-with-facebook-apps-1500
usd

ImageTragick
https://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html

FBCDN

https://philippeharewood.com/generate-valid-signatures-for-fbcdn-urls/

https://bugreader.com/private@E0GD5-UT71G-G7LBM-OMKT-RPT202

XSS

https://opnsec.com/2018/03/stored-xss-on-facebook/

https://vinothkumar.me/20000-facebook-dom-xss/

https://twitter.com/opnsec/status/855076273395204097

https://whitton.io/articles/xss-on-facebook-via-png-content-types/

https://philippeharewood.com/ability-to-upload-html-via-srt-caption-files-for-facebook-videos/

http://breaksec.com/?p=5713

http://nirgoldshlager.blogspot.com/2013/01/another-stored-xss-in-facebookcom.html

https://nealpoole.com/blog/2011/03/xss-vulnerability-in-facebook-translations/

https://nealpoole.com/blog/2011/08/lessons-from-facebooks-security-bug-bounty-program/

http://www.paulosyibelo.com/2014/07/the-unseen-facebook-bug-bounty-2014-x.html

https://prakharprasad.com/facebook-friendfeed-stored-xss/

https://medu554.blogspot.com/2014/02/stored-xss-on-atlassolutions-facebook.html

http://blog.ptsecurity.com/2013/10/a-story-about-xss-on-facebook.html

https://www.youtube.com/watch?v=NQOK9-OXwsc

(http://pastebin.com/raw/cuYRhM71)

https://web.archive.org/web/20160119170845/http://www.websecresearch.com/2014/02/facebooks-b
oltpeterscom-configuration.html

http://nbsriharsha.blogspot.in/2014/03/finally-facebook-hunted.html

https://whitton.io/articles/content-types-and-xss-facebook-studio/
https://en.internetwache.org/facebook-fixes-minor-issues-02-05-2014/

https://silentzzz.blogspot.com/2007/11/facebook-xss-vulnerability.html

https://habr.com/company/pt/blog/247709/

https://web.archive.org/web/20120416034642/http://gill.is/2012/04/11/new_website

https://dr4cun0.com/blog/stored-xss-at-parse/

https://web.archive.org/web/20160724215405/http://ameeras.me/Instagram-Reflected-XSS-in-Link-Shi
m/

https://www.facebook.com/groups/bugbountygroup/permalink/440483256348508/

https://thesecurityexperts.wordpress.com/2017/12/20/dom-xss-in-facebook-mobile-siteapp-login/

CSRF

http://www.breaksec.com/?p=6192 ( https://vimeo.com/65453658 )

http://www.sneaked.net/invisible-arbitrary-csrf-profile-picture-upload-in-facebook

https://www.josipfranjkovic.com/blog/facebook-csrf-full-account-takeover

https://josipfranjkovic.blogspot.com/2013/11/facebook-bug-bounty-secondary-damage.html

https://amolnaik4.blogspot.com/2012/08/facebook-csrf-worth-usd-5000.html

https://web.archive.org/web/20160110053958/http://www.dan-melamed.com/2013/06/hacking-any-fa
cebook-account-exploit-poc.html

http://www.paulosyibelo.com/2015/01/facebooks-oculus-exploiting.html

http://blog.mazinahmed.net/2015/06/facebook-messenger-multiple-csrf.html

https://whitton.io/articles/messenger-site-wide-csrf/

https://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/

https://blog.darabi.me/2015/04/bypass-facebook-csrf.html

https://blog.darabi.me/2016/05/how-i-bypassed-facebook-csrf-in-2016.html

https://niyaax9.blogspot.com/2016/04/facebook-csrf-adding-welcome-notes-to.html

https://medium.com/@zahidali_93675/cross-site-request-forgery-in-facebook-86087201d8c

https://www.facebook.com/groups/bugbountygroup/permalink/444862699243897/
https://exploitthesecurity.blogspot.com/2018/01/low-hanging-fruits-4.html

SSRF

https://dr4cun0.com/blog/ssrf-at-update-subscription-menu/

Logic

http://nirgoldshlager.blogspot.com/2013/01/how-i-hacked-facebook-employees-secure.html

http://pwndizzle.blogspot.in/2014/07/breaking-facebooks-text-captcha.html

http://bugbountypoc.com/business-logic-flaw-facebook-poc/

https://philippeharewood.com/edit-the-facebook-album-order-of-any-user/

http://bugbountypoc.com/missing-authorization-check-in-pages-manager/

https://immukul.blogspot.in/2017/04/facebook-bypassing-prohibit-embedding.html

https://www.youtube.com/watch?v=Qu_A_s0LLbs

https://www.youtube.com/watch?v=jxH1yyhCe_k

https://www.youtube.com/watch?v=YFmvlInx4IQ

https://www.youtube.com/watch?v=j_KiiiYpl4w

https://www.aryansinha.com/2017/08/facebook-checkpoint-flaw.html

https://www.facebook.com/Drix17/videos/1799639230274532/?fref=gs&dti=349225725474262&hc_loc
ation=group

Race Conditions

https://www.josipfranjkovic.com/blog/race-conditions-on-web

https://josipfranjkovic.blogspot.com/2015/04/race-conditions-on-facebook.html

Rate Limits

http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html
http://arunsureshkumar.me/index.php/2016/04/24/facebook-account-take-over/

http://xss001.blogspot.in/2016/05/instagram-account-takeover.html

https://techmedia.com.ng/2016/05/bug-hunter-dislcoses-way-hack-instagram-accounts-facebook/

https://www.kieranclaessens.be/facebook-text-authentication-flaw.html

https://ysamm.com/?p=396

Open Redirect ($500+)

https://thekaitokid.blogspot.com/2014/10/multiple-open-redirection.html

https://0xsobky.github.io/evading-facebook-linkshim/

https://arulkumar.in/multiple-open-url-redirection-vulnerability-in-facebook-worth-1500/

https://www.vulnerability-lab.com/get_content.php?id=975

https://yassineaboukir.com/blog/how-i-discovered-a-1000-open-redirect-in-facebook/

https://medium.com/@dwi.siswanto98/open-redirect-on-facebook-bypass-linkshim-4050f680d45c

https://bugreader.com/ant00961@188

https://philippeharewood.com/change-any-link-at-https-fbwat-ch/

Clickjacking

https://www.codegrudge.com/2015/03/how-i-got-5000-from-facebook-bugbounty.html

http://www.paulosyibelo.com/2015/03/facebook-bug-bounty-clickjacking.html

http://www.lachisterablanca.com/2014/02/bypass-de-la-proteccion-contra.html

Object Reference ($10,000+)

http://www.anandpraka.sh/2014/11/hacking-facebookcomthanks-posting-on.html

https://whitton.io/articles/hijacking-a-facebook-account-with-sms/

https://arulkumar.in/delete-any-photo-from-facebook-by-exploiting-support-dashboard/

https://whitton.io/articles/removing-covers-images-on-friendship-pages-on-facebook/
https://zerohacks.com/bug-bounty-hacks/how-i-hacked-your-facebook-photos/

https://roy-castillo.blogspot.com/2016/02/overwritingremoving-cover-photos-on.html

http://arunsureshkumar.me/index.php/2016/09/16/facebook-page-takeover-zero-day-vulnerability/

https://russellaurio.blogspot.com/2016/11/insecure-direct-object-reference-idor.html

https://www.youtube.com/watch?v=DvNHjh0EJNs

https://philippeharewood.com/posting-gifs-as-anyone-on-facebook/

https://blog.darabi.me/2017/11/image-removal-vulnerability-in-facebook.html

Privacy/Spam ($1500+)

https://philippeharewood.com/ability-to-invite-any-user-to-a-facebook-page-all-non-friends/

https://sweethacking.blogspot.com/2014/11/how-i-made-500-usd-by-reporting-logical.html

http://patorjk.com/blog/2013/03/01/facebook-user-identification-bug/

https://web.archive.org/web/20160125122634/http://allanjaydumanhug.ninja/blog/facebook-privacy-b
ug-view-photos-as-a-blocked-user/

https://web.archive.org/web/20160414193314/https://abhartiya.wordpress.com/2014/12/23/a-bug-in-
facebook-that-violated-my-privacy/

https://josipfranjkovic.blogspot.com/2015/07/the-easiest-bug-bounties-i-have-ever-won.html

https://pranavhivarekar.in/2016/02/20/facebooks-bug-fooling-graph-search-to-bypass-privacy-restrictio
ns/

https://web.archive.org/web/20160629134045/https://abhartiya.wordpress.com/2016/02/08/ability-to
-send-payment-requests-inspite-of-being-blocked-by-the-recipient/

https://medium.com/@rajsek/curiosity-and-passion-to-your-profession-might-lead-to-make-your-dream
-come-true-7d9be3c6029a

https://medium.com/@rajsek/my-2nd-facebook-bounty-poc-fb-data-of-birth-disclosure-d02e1bec50

https://dr4cun0.com/blog/silently-using-facebook-xmpp/

https://philippeharewood.com/find-mingle-suggestions-for-any-facebook-user/

https://philippeharewood.com/find-mingle-suggestions-for-any-facebook-user-revisited/

https://philippeharewood.com/view-saved-offers-of-another-user/
https://medium.com/@armaanpathan/idor-was-leading-to-privilege-escalation-and-violating-the-facebo
ok-policy-355c67c654e6

Page Roles

https://medium.com/bugbountywriteup/page-admin-disclosure-facebook-bug-bounty-2019-ee9920e76
8eb

http://whitehatstories.blogspot.in/2017/09/how-i-could-have-crashed-page-role.html

https://pwnsec.ninja/2019/06/28/facebook-bugbounty-short-story-on-page-admin-disclosure/

https://medium.com/nassec-cybersecurity-writeups/page-admin-disclosure-facebook-bug-bounty-2020-
8a45cf911e24

https://philippeharewood.com/tag-photos-as-a-page-analyst/

https://philippeharewood.com/using-an-analyst-account-to-post-to-facebook-open-graph-objects/

https://philippeharewood.com/like-any-facebook-page-as-a-page-analyst/

https://philippeharewood.com/viewing-payment-information-as-an-ad-analyst/

https://philippeharewood.com/view-the-job-applications-of-a-page-as-an-analyst/

https://philippeharewood.com/deactivate-facebook-page-shop-as-an-analyst/

https://philippeharewood.com/create-a-product-as-an-analyst-on-a-facebook-page-store/

https://philippeharewood.com/disclose-users-with-roles-on-facebook-pages/

https://philippeharewood.com/change-trust-project-credibility-indicators-as-an-analyst/

https://medium.com/@ajdumanhug/a-simple-bug-on-facebook-that-is-worth-8000-b77f7e01b064

https://medium.com/@joshuaregio/using-app-ads-helper-as-an-analytic-user-e751fcf9c594

https://bugreader.com/semicolonlb@disclose-page-admins-for-any-facebook-page-52

https://khalil-shreateh.com/khalil.shtml/23-khalil/290-facebook-exploit-jan-2015-page-admin-disclosure
.html

https://gbhackers.com/facebook-page-admin/

https://medium.com/@avinash_/disclosure-of-pending-roles-for-any-facebook-page-ab6e4e219f8e

http://whitehatstories.blogspot.com/2017/09/how-i-could-have-crashed-page-role.html

https://bugreader.com/smokescreen@disclose-facebook-user-page-roles-admineditormod-94
https://bugreader.com/kbazzoun@132?fbclid=IwAR1AqIl_MW476E5wNlFcrU_Hd8SYqmbTf1M4GC8pGQ
lnTZT-NBLNOGO2FdI

https://medium.com/nassec-cybersecurity-writeups/page-admin-disclosure-facebook-bug-bounty-2020-
8a45cf911e24

https://bugreader.com/addictrao@167

https://medium.com/@rohitcoder/private-dashboards-were-accessible-by-other-admins-in-analytics-da
shboard-558010a379ab

https://bugreader.com/vivekps143@161

https://bugreader.com/jubabaghdad@disclose-private-dashboard-charts-name-and-data-in-facebook-a
nalytics-184

https://philippeharewood.com/break-the-facebook-page-icebreaker-faq-feature-for-any-page-admin-usi
ng-react-sanitizeurl/

https://medium.com/@saugatpokharel/all-comments-not-visible-to-the-page-admin-facebook-bug-bou
nty-89a5798bf640

https://philippeharewood.com/change-the-profanity-filter-for-any-facebook-page/

https://bugreader.com/vivekps143@169

https://medium.com/@saugatpokharel/able-to-create-hidden-comment-by-blocking-an-admin-faceboo
k-bug-bounty-2020-c62bd10712f

https://ysamm.com/?p=479

https://bugreader.com/vivekps143@race-condition-to-bypass-the-entrant-limit-in-the-facebook-tourna
ment-201

https://medium.com/@yaala/make-featured-product-in-any-video-ec2bd4816ae4

https://medium.com/@yaala/admin-editor-can-disclose-personnel-email-of-other-editor-admin-on-pag
e-who-created-shop-57c35ed9f9b7

https://ullahwasim.github.io/blog/2020/08/06/See-recent-order-items-of-any-Facebook-page.html

Facebook Ads

https://blog.darabi.me/2015/03/facebook-bypass-ads-account-roles.html

https://philippeharewood.com/ads-api-error-leads-to-ad-account-id-being-leaked-from-the-legacy-acco
unt-id/
https://philippeharewood.com/view-the-ads-retention-curve-completion-rate-for-any-ad-account/

https://philippeharewood.com/de-anonymizing-facebook-ads/

Facebook Groups

https://web.archive.org/web/20171103133104/http://thesecuritynews.com/project/how-i-was-able-to-
post-in-any-facebook-group-on-behalf-of-its-members/

https://www.facebook.com/notes/$2500-lakhpati-bug-at-facebook-gaining-access-to-files-of-a-closed-gr
oup/686615161373797

https://medium.com/@rahulmfg/get-groups-doc-without-user-permission-facebook-graph-api-bug-5f19
367373a2

https://philippeharewood.com/the-group-idphotos-endpoint-isnt-obeying-the-publish_actions-and-user
_groups-permission-requirement/

https://zappstiko.blogspot.com/2017/02/facebook-group-hack-in-2015-i-reported.html

https://medium.com/@iamkartiksingh/missing-functional-level-access-control-in-secret-groups-86da6c1
10775

https://web.archive.org/web/20171103133104/http://thesecuritynews.com/project/how-i-was-able-to-
post-in-any-facebook-group-on-behalf-of-its-members/

https://medium.com/@rahulmfg/get-groups-doc-without-user-permission-facebook-graph-api-bug-5f19
367373a2

https://medium.com/@saugatpokharel/cannot-delete-post-on-facebook-group-facebook-bug-bounty-4f
2661655c3a

https://medium.com/@yaala/become-member-of-close-public-group-9564c359c050

Phone number

https://medium.com/bugbountywriteup/how-i-was-able-to-remove-your-instagram-phone-number-d34
6515e79c3

https://philippeharewood.com/determine-a-user-from-a-private-phone-number/

Email address

https://stephensclafani.com/2013/07/09/obtaining-the-primary-email-address-of-any-facebook-user/
https://web.archive.org/web/20161223175543/http://www.dawgyg.com/2016/12/21/disclosing-the-pri
mary-email-address-for-each-facebook-user/

http://fogmarks.com/2016/04/03/facebook-invitees-email-addresss-disclosure/

https://web.archive.org/web/20170809142917/http://blog.internot.info/2014/05/facebook-skype-to-e
mail-leak-3000-bounty.html

https://philippeharewood.com/view-commerce-settings-and-email-for-any-page-shop/

https://philippeharewood.com/view-the-assigned-roles-and-emails-of-an-instagram-account/

IP address

https://asad0x01.blogspot.com/2017/05/facebook-buggetting-other-users-ip.html

Symlink Attack

https://josipfranjkovic.blogspot.com/2014/12/reading-local-files-from-facebooks.html

Accellion’s Secure File Transfer

http://blog.orange.tw/2016/04/bug-bounty-how-i-hacked-facebook-and-found-someones-backdoor-scri
pt.html

XXE

https://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution

https://web.archive.org/web/20150316053924/http://attack-secure.com/hacked-facebook-word-docu
ment/

LFI

http://www.websecuritylog.com/2014/10/facebook--bug-bounty.html?spref=tw

SQLi

https://bitquark.co.uk/blog/2014/08/31/popping_a_shell_on_the_oculus_developer_portal
https://josipfranjkovic.blogspot.com/2014/09/step-by-step-exploiting-sql-injection.html

Jenkins

https://blog.dewhurstsecurity.com/2014/12/09/how-i-hacked-facebook.html

API

https://blog.darabi.me/2020/06/image-removal-vulnerability-on-facebook.html

https://bugreader.com/social/write-ups-general-how-we-were-able-to-delete-donald-trump-posts-on-fa
cebook--100955

https://asad0x01.blogspot.com/2017/05/facebook-bugcommentingon-non-friends.html

https://stephensclafani.com/2014/07/08/hacking-facebooks-legacy-api-part-1-making-calls-on-behalf-of
-any--user/

https://roy-castillo.blogspot.com/2013/07/how-i-exposed-your-primary-facebook.html

https://philippeharewood.com/facebook-insights-api-bug/

https://philippeharewood.com/facebook-v2-0-api-bug-inconsistencies-with-app-scoped-ids/

http://blog.intothesymmetry.com/2014/09/bounty-leftover-part-1.html

https://philippeharewood.com/paging-cursors-leaking-data-in-graph-api/

https://philippeharewood.com/tagged-places-shouldnt-show-paging-params-if-no-user_tagged_places-g
ranted/

https://philippeharewood.com/bypassing-appsecret_proof-verification/

https://philippeharewood.com/change-the-description-of-a-video-without-publish_actions-permission/

https://philippeharewood.com/icon-field-in-posts-gets-access_token-appended/

https://philippeharewood.com/reply-to-a-message-without-read_page_mailboxes-permission/

https://philippeharewood.com/bypassing-posting-to-friends-timelines-api-restriction/

https://zerohacks.com/bug-bounty-hacks/how-i-exposed-your-private-photos/

https://philippeharewood.com/facebook-page-profile-picture-update-requires-neither-publish_pages-n
or-publish_actions/

https://philippeharewood.com/the-facebook-publish_pages-permission-is-missing-in-melinks/
https://philippeharewood.com/upload-videos-thumbnails-with-just-public_profile-permission/

https://philippeharewood.com/icon-field-in-posts-gets-access_token-appended/

https://web.archive.org/web/20160202160841/http://www.secinfinity.net/modifying-privacy-settings-o
n-facebook-through-graph-api/

https://philippeharewood.com/show-friends-sharing-precise-locations-as-a-third-party-application/

https://philippeharewood.com/change-tag-suggestions-for-any-facebook-user/

https://philippeharewood.com/detailed-information-for-all-facebook-native-applications-as-a-non-empl
oyee/

https://philippeharewood.com/send-a-location-ping-to-facebook-friends-using-only-public_profile-as-a-t
hird-party-app/

https://philippeharewood.com/third-party-developer-access-to-facebook-captcha-challenges/

https://philippeharewood.com/vault-images-can-be-published-by-third-party-applications/

https://philippeharewood.com/deleting-a-vault-image-makes-data-available-to-third-party-applications/

https://philippeharewood.com/determine-the-number-of-friends-added-for-any-facebook-user/

https://philippeharewood.com/determine-if-any-two-users-are-friends-without-user_friends-permission
/

https://philippeharewood.com/determine-if-any-two-users-are-friends-without-user_friends-permission
-revisited/

https://philippeharewood.com/creation-of-a-scrapbook-invalidates-the-privacy-set-for-a-non-user-famil
y-member/

https://philippeharewood.com/bypassing-posting-to-friends-timelines-api-restriction-revisited-in-photos
/

https://philippeharewood.com/add-a-user-to-the-list-of-facebook-contacts/

https://web.archive.org/web/20170708101949/http://thesecuritynews.com/project/accessing-the-num
ber-of-active-users-of-any-application

https://philippeharewood.com/view-instant-articles-traffic-lift-for-any-page/

https://philippeharewood.com/view-the-owned-test-users-for-facebook-employees/

GraphQL
https://philippeharewood.com/view-the-graphql-stored-queries-for-any-application/

https://philippeharewood.com/path-disclosure-in-facebook-graphql-api/

https://philippeharewood.com/facebook-employees-commission-splits-counts-are-shown/

https://philippeharewood.com/abusing-facebook-graph-search/

https://medium.com/@rajsek/my-3rd-facebook-bounty-hat-trick-chennai-tcs-er-name-listed-in-faceboo
k-hall-of-fame-47f57f2a4f71

https://pranavhivarekar.in/2017/02/11/facebooks-bug-unauthorized-access-to-credit-card-details-limite
d-of-any-user/

https://web.archive.org/web/20171105173154/http://thesecuritynews.com/project/see-insights-of-any
-live-video/

FQL

https://filippo.io/a-bug-worth-4200$/

https://philippeharewood.com/facebook-keyword_insights-bug/

https://philippeharewood.com/getting-the-username-in-fql-in-2-0-applications/

Login Nonces

https://stephensclafani.com/2017/03/21/stealing-messenger-com-login-nonces/

OAuth (AKA Stealing Access Tokens)

https://www.josipfranjkovic.com/blog/hacking-facebook-csrf-device-login-flow

https://stephensclafani.com/2014/07/29/hacking-facebooks-legacy-api-part-2-stealing-user-sessions/

https://isciurus.blogspot.ru/2013/04/a-story-of-9500-bug-in-facebook-oauth-20.html

https://isciurus.blogspot.ca/2012/09/pwning-facebook-authorization-through.html

http://homakov.blogspot.ca/2013/02/hacking-facebook-with-oauth2-and-chrome.html

https://blog.bentkowski.info/2014/09/in-this-post-ill-explain-to-you.html

https://prakharprasad.com/facebook-mailchimp-application-oauth-2-0-misconfiguration/
https://medu554.blogspot.com/2013/08/facebooks-parse-oauth-bug.html

http://breaksec.com/?p=5753

http://nirgoldshlager.blogspot.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html

http://blog.intothesymmetry.com/2014/04/oauth-2-how-i-have-hacked-facebook.html

https://whitton.io/articles/stealing-facebook-access-tokens-with-a-double-submit/

http://prosecco.gforge.inria.fr/CVE/Facebook_JS_2012.html

https://philippeharewood.com/swiping-facebook-official-access-tokens/

http://whitehatstories.blogspot.in/2017/05/oauth-token-validation-bug-in-facebook.html

https://medium.com/@lokeshdlk77/bypass-oauth-nonce-and-steal-oculus-response-code-faa9cc8d0d37

https://medium.com/@lokeshdlk77/stealing-facebook-mailchimp-application-oauth-2-0-access-token-3
af51f89f5b0

Instagram

https://thezerohack.com/hack-any-instagram

https://thezerohack.com/hack-instagram-again

http://www.iltalehti.fi/digi/2016050221506011_du.shtml

https://viaforensics.com/mobile-security/hacked-your-instagram-account.html

https://josipfranjkovic.blogspot.com/2013/07/how-i-found-my-way-into-instagrams.html

http://breaksec.com/?p=6164

https://web.archive.org/web/20170702100704/http://insertco.in/2014/02/10/how-i-hacked-instagram/

https://whitton.io/articles/instagrams-one-click-privacy-switch/

https://samanfatahpour.blogspot.com/2014/10/facebook-bugbounty-facebook-instagram.html

https://www.arneswinnen.net/2016/02/the-tales-of-a-bug-bounty-hunter-10-interesting-vulnerabilities-
in-instagram/

https://www.arneswinnen.net/2016/03/how-i-could-compromise-4-locked-instagram-accounts/

https://mohankallepalli.blogspot.com/2016/04/instagram-unauthorized-comment-deletion.html

https://www.arneswinnen.net/2016/05/instabrute-two-ways-to-brute-force-instagram-account-credenti
als/

http://bugdisclose.blogspot.in/2017/04/instagram-email-verification-issue.html

https://philippeharewood.com/find-instagram-contacts-for-any-user-on-facebook/

https://stefanovettorazzi.com/taking_over_instagram_accounts/

Signal

https://philippeharewood.com/getting-facebook-signal-app-access-token/

Slingshot

https://philippeharewood.com/add-any-facebook-user-non-friend-to-slingshot-without-knowing-the-use
rname/

Messenger

https://www.aryansinha.com/2017/11/session-misconfiguration-in-messenger.html

https://bugreader.com/kbazzoun@dos-facebook-messenger-webprevent-chat-from-loading-187

Moments

https://philippeharewood.com/rewriting-a-photo-not-owned-by-the-session-user-in-moments-app/

https://philippeharewood.com/delete-any-moments-app-photo-or-folder-not-owned-by-the-session-use
r/

Moves

https://web.archive.org/web/20171112164937/http://www.paulosyibelo.com:80/2015/12/facebooks-m
oves-oauth-xss.html

Whatsapp
https://immukul.blogspot.in/2016/11/whatsapp-hacked.html

http://blog.pentestnepal.tech/post/156707088037/i-got-emails-g-suite-vulnerability

https://medium.com/bugbountywriteup/whatsapp-dos-vulnerability-in-ios-android-d896f76d3253

Workplace

https://philippeharewood.com/a-walk-in-the-workplace/

https://www.youtube.com/watch?v=H0aQPcuskMo

You might also like