An IDOR vulnerability in Facebook Events allowed attackers to add any user—including non-friends and blocked contacts—as co-hosts to personal events by tampering with the co_hosts parameter in the event creation request. The vulnerability was patched by Facebook and rewarded $750 through their bug bounty program.
An IDOR vulnerability in Facebook's video poll feature allows attackers to delete polls from other users' videos by manipulating the deleted_poll_ids parameter in POST requests to the video editing endpoint.
A CSRF vulnerability in Facebook's Instagram Business Tools allowed attackers to execute arbitrary GraphQL mutations by crafting malicious URLs that leveraged the victim's authenticated access token, enabling unauthorized actions like creating posts with malicious content. The vulnerability exploited improper parameter handling in the /business/:id endpoint where user-controlled IDs were sent to the Graph API without proper CSRF protections.
Site-wide CSRF vulnerability discovered on Messenger.com where CSRF token (fb_dtsg) validation was completely missing on multiple endpoints, allowing attackers to perform unauthorized actions like changing settings and removing users from group threads. The vulnerability affected all POST requests regardless of whether the token was modified, removed, or omitted entirely.