Leaking Facebook user information to external websites

ysamm.com · Samm0uda · 2 months ago · research
quality 7/10 · good
0 net
Tags
data-leakage social-engineering
Posts Jan 17, 2026 Account Takeover in Facebook mobile app due to usage of cryptographically unsecure random number generator and XSS in Facebook JS SDK Jan 16, 2026 Leaking Meta FXAuth Token leading to 2 click Account Takeover Jan 16, 2026 Instagram account takeover via Meta Pixel script abuse Jan 16, 2026 Multiple cross-site leaks disclosing Facebook users in third-party websites Jan 15, 2026 Two-click Facebook account takeover via FXAuth token and blob theft Jan 15, 2026 Datr cookie theft and AI leads to Facebook account takeover via trusted device recovery Jan 15, 2026 Self-XSS in Facebook payments flow leads to Instagram and Facebook account takeovers Jan 13, 2026 Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover Jan 29, 2023 Account Takeover in Canvas Apps served in Comet due to failure in Cross-Window-Message Origin validation Jan 29, 2023 DOM-XSS in Instant Games due to improper verification of supplied URLs Jan 29, 2023 Account takeover of Facebook/Oculus accounts due to First-Party access_token stealing May 14, 2022 Multiple bugs chained to takeover Facebook Accounts which uses Gmail. Mar 4, 2022 More secure Facebook Canvas Part 2: More Account Takeovers Sep 30, 2021 Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts Sep 3, 2021 More secure Facebook Canvas : Tale of $126k worth of bugs that lead to Facebook Account Takeovers Jun 27, 2021 Oversightboard.com site-wide CSRF due to missing checking Jun 27, 2021 Disclose unconfirmed email/phone of a Facebook user May 20, 2021 Oculus SSO "Account Linking" bug leads to account takeover on third party websites and inside VR Games/Apps May 13, 2021 One-click reflected XSS in www.instagram.com due to unfiltered URI schemes leads to account takeover May 7, 2021 Identify a Facebook user by his phone number despite privacy settings set May 5, 2021 Account takeover of Instagram accounts due to unrestricted permissions of third-party application's generated tokens Apr 30, 2021 Facebook account takeover due to unsafe redirects after the OAuth flow Apr 2, 2021 Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow Apr 2, 2021 Facebook account takeover due to a wide platform bug in ajaxpipe responses Feb 18, 2021 Expose Facebook object type (including private objects) Feb 18, 2021 Expose information about Partner accounts in Partner portal Feb 18, 2021 Ability to find Facebook employee's test accounts which lead to the disclosure of internal information. Feb 18, 2021 Disclose internal CMS objects content Feb 18, 2021 Confirm if an invitation is sent to a specific email in Partners Portal / Possibility to resend the invitation Feb 18, 2021 XSS in Facebook CDN due to improper filtering of uploaded files extensions Feb 17, 2021 Enumerate internal cached URLs which lead to data exposure Feb 17, 2021 Leaking Facebook user information to external websites / Setting some cookies values Feb 17, 2021 Open redirect in Instagram.com Feb 17, 2021 Access private information about SparkAR effect owners who has a publicly viewable portfolio Feb 17, 2021 Make recruiting referrals on behalf of employees Feb 15, 2021 Leak of internal categorySets names and employees test accounts. Feb 15, 2021 Delete linked payments accounts of a Facebook page (or user) Feb 15, 2021 Access files uploaded by employees to internal CDNs / Regenerate URL signature of user uploaded content. Feb 15, 2021 URLs in img tag aren't passed through safe_image.php which lead to exposure of Facebook users IPs. Feb 15, 2021 View orders and financial reports lists for any page shop Jan 3, 2021 Expose the email address of Workplace users Jan 1, 2021 XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers Dec 31, 2020 Bad regex used in Facebook Javascript SDK leads to account takeovers in websites that included it Nov 7, 2020 Facebook DOM Based XSS using postMessage Jul 23, 2020 Disclose content of internal Facebook javascript modules ( Revisited ) Jul 2, 2020 Admin disclosure of Facebook verified pages/ Disclose Facebook employee assigned to help a verified page. Jun 14, 2020 Privilege escalation in Partners Portal to Admin access Jun 14, 2020 Internal directories enumeration in www Jun 14, 2020 Disclose the Instagram account linked to a Facebook user account or page Jun 14, 2020 Disclose internal files related to testing of some Facebook tools May 2, 2020 Exposure of Facebook object type by knowing the object ID May 2, 2020 Add draft subtitles to any Facebook video and Full Path Disclosure Mar 11, 2020 Generate valid signatures for files hosted in Facebook CDNs. Mar 11, 2020 Ability to bruteforce Instagram account's password due to lack of rate limitation protection Feb 28, 2020 Facebook CSRF bug which lead to Instagram Partial account takeover. Jan 23, 2020 Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover Nov 27, 2019 Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge Sep 2, 2019 HTML to PDF converter bug leads to RCE in Facebook server. Aug 1, 2019 Internal path disclosure in Instagram server Aug 1, 2019 Access portal of Facebook mobile retailers and see earnings and referrals reports. Aug 1, 2019 Send emails on behalf of [email protected] Aug 1, 2019 Download predictions details of ads plans of any business. Aug 1, 2019 View orders and financial reports lists for any page shop. May 25, 2019 Disclose files content from Facebook internal CDNs Apr 22, 2019 Disclose the content of internal Facebook Javascript modules. Feb 16, 2019 Bypass password confirmation in Facebook "DYI" feature Feb 12, 2019 Facebook CSRF protection bypass which leads to Account Takeover. Feb 12, 2019 Export Facebook audience network reports of any business Feb 7, 2019 Leak of private/in-development app ids, names and translation requests Feb 7, 2019 Internal paths disclosure due to improper exception handling Jan 22, 2019 Enroll in Facebook Ad-break program without Facebook approval Jan 22, 2019 Disclose page violations and its eligibility to use Ad-breaks Jan 22, 2019 Disclose page's admins and its Monetization payout details Jan 22, 2019 Disclose Instagram business account linked to a Facebook page Jan 22, 2019 Change payment account of any Facebook commerce page Jan 22, 2019 Expose business email and payment account balance of any Facebook commerce page. Jan 22, 2019 Bruteforce Instagram account's passwords (lack of rate limiting protection). Jan 22, 2019 Reveal if a Facebook merchant page has pending or completed orders. Jan 22, 2019 Generate Access Tokens for any Facebook user Jan 22, 2019 Modify users profiles of techprep.fb.com Jan 22, 2019 Uploading files to api.techprep.fb.com subscribe via RSS
← Back to stories