Jan 29, 2023

Account Takeover in Canvas Apps served in Comet due to failure in Cross-Window-Message Origin validation

Jan 29, 2023

DOM-XSS in Instant Games due to improper verification of supplied URLs

Jan 29, 2023

Account takeover of Facebook/Oculus accounts due to First-Party access_token stealing

May 14, 2022

Multiple bugs chained to takeover Facebook Accounts which uses Gmail.

Mar 4, 2022

More secure Facebook Canvas Part 2: More Account Takeovers

Sep 29, 2021

Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts

Sep 3, 2021

More secure Facebook Canvas : Tale of $126k worth of bugs that lead to Facebook Account Takeovers

Jun 27, 2021

Oversightboard.com site-wide CSRF due to missing checking

Jun 27, 2021

Disclose unconfirmed email/phone of a Facebook user

May 20, 2021

Oculus SSO "Account Linking" bug leads to account takeover on third party websites and inside VR Games/Apps

May 13, 2021

One-click reflected XSS in www.instagram.com due to unfiltered URI schemes leads to account takeover

May 7, 2021

Identify a Facebook user by his phone number despite privacy settings set

May 5, 2021

Account takeover of Instagram accounts due to unrestricted permissions of third-party application's generated tokens

Apr 30, 2021

Facebook account takeover due to unsafe redirects after the OAuth flow

Apr 2, 2021

Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow

Apr 2, 2021

Facebook account takeover due to a wide platform bug in ajaxpipe responses

Feb 18, 2021

Expose Facebook object type (including private objects)

Feb 18, 2021

Expose information about Partner accounts in Partner portal

Feb 18, 2021

Ability to find Facebook employee's test accounts which lead to the disclosure of internal information.

Feb 18, 2021

Disclose internal CMS objects content

Feb 18, 2021

Confirm if an invitation is sent to a specific email in Partners Portal / Possibility to resend the invitation

Feb 18, 2021

XSS in Facebook CDN due to improper filtering of uploaded files extensions

Feb 17, 2021

Enumerate internal cached URLs which lead to data exposure

Feb 17, 2021

Leaking Facebook user information to external websites / Setting some cookies values

Feb 17, 2021

Open redirect in Instagram.com

Feb 17, 2021

Access private information about SparkAR effect owners who has a publicly viewable portfolio

Feb 17, 2021

Make recruiting referrals on behalf of employees

Feb 15, 2021

Leak of internal categorySets names and employees test accounts.

Feb 15, 2021

Delete linked payments accounts of a Facebook page (or user)

Feb 15, 2021

Access files uploaded by employees to internal CDNs / Regenerate URL signature of user uploaded content.

Feb 15, 2021

URLs in img tag aren't passed through safe_image.php which lead to exposure of Facebook users IPs.

Feb 15, 2021

View orders and financial reports lists for any page shop

Jan 3, 2021

Expose the email address of Workplace users

Jan 1, 2021

XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers

Dec 31, 2020

Bad regex used in Facebook Javascript SDK leads to account takeovers in websites that included it

Nov 7, 2020

Facebook DOM Based XSS using postMessage

Jul 23, 2020

Disclose content of internal Facebook javascript modules ( Revisited )

Jul 2, 2020

Admin disclosure of Facebook verified pages/ Disclose Facebook employee assigned to help a verified page.

Jun 14, 2020

Privilege escalation in Partners Portal to Admin access

Jun 14, 2020

Internal directories enumeration in www

Jun 14, 2020

Disclose the Instagram account linked to a Facebook user account or page

Jun 14, 2020

Disclose internal files related to testing of some Facebook tools

May 2, 2020

Exposure of Facebook object type by knowing the object ID

May 2, 2020

Add draft subtitles to any Facebook video and Full Path Disclosure

Mar 11, 2020

Generate valid signatures for files hosted in Facebook CDNs.

Mar 11, 2020

Ability to bruteforce Instagram account's password due to lack of rate limitation protection

Feb 28, 2020

Facebook CSRF bug which lead to Instagram Partial account takeover.

Jan 23, 2020

Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover

Nov 27, 2019

Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge

Sep 2, 2019

HTML to PDF converter bug leads to RCE in Facebook server.

Aug 1, 2019

Internal path disclosure in Instagram server

Aug 1, 2019

Access portal of Facebook mobile retailers and see earnings and referrals reports.

Aug 1, 2019

Send emails on behalf of legal_noreply@fb.com

Aug 1, 2019

Download predictions details of ads plans of any business.

Aug 1, 2019

View orders and financial reports lists for any page shop.

May 25, 2019

Disclose files content from Facebook internal CDNs

Apr 22, 2019

Disclose the content of internal Facebook Javascript modules.

Feb 16, 2019

Bypass password confirmation in Facebook "DYI" feature

Feb 12, 2019

Facebook CSRF protection bypass which leads to Account Takeover.

Feb 12, 2019

Export Facebook audience network reports of any business

Feb 7, 2019

Leak of private/in-development app ids, names and translation requests

Feb 7, 2019

Internal paths disclosure due to improper exception handling

Jan 22, 2019

Enroll in Facebook Ad-break program without Facebook approval

Jan 22, 2019

Disclose page violations and its eligibility to use Ad-breaks

Jan 22, 2019

Disclose page's admins and its Monetization payout details

Jan 22, 2019

Disclose Instagram business account linked to a Facebook page

Jan 22, 2019

Change payment account of any Facebook commerce page

Jan 22, 2019

Expose business email and payment account balance of any Facebook commerce page.

Jan 22, 2019

Bruteforce Instagram account's passwords (lack of rate limiting protection).

Jan 22, 2019

Reveal if a Facebook merchant page has pending or completed orders.

Jan 22, 2019

Generate Access Tokens for any Facebook user

Jan 22, 2019

Modify users profiles of techprep.fb.com

Jan 22, 2019

Uploading files to api.techprep.fb.com