mutation

1 article
Sort: New Top Best
clear filter
bug-bounty621 facebook427 xss316 google101 rce99 csrf60 microsoft56 web355 account-takeover53 writeup50 sqli41 apple38 ssrf34 cve33 exploit32 dos31 privilege-escalation28 defi28 cloudflare27 smart-contract-vulnerability25 idor24 subdomain-takeover24 smart-contract23 clickjacking23 ethereum23 access-control21 vulnerability-disclosure21 malware20 auth-bypass19 remote-code-execution18 lfi17 cors16 reverse-engineering15 race-condition15 cloud15 authentication-bypass14 solidity14 oauth12 info-disclosure12 aws12 browser11 phishing11 sql-injection11 delegatecall11 denial-of-service11 web-application-security10 web-security9 token-theft9 vulnerability9 responsible-disclosure9
0
Facebook graphql CSRF
vulnerability

A CSRF vulnerability in Facebook's Instagram Business Tools allowed attackers to execute arbitrary GraphQL mutations by crafting malicious URLs that leveraged the victim's authenticated access token, enabling unauthorized actions like creating posts with malicious content. The vulnerability exploited improper parameter handling in the /business/:id endpoint where user-controlled IDs were sent to the Graph API without proper CSRF protections.

csrf graphql authentication-bypass mutation instagram facebook web-security access-token-misuse parameter-injection business-tools
Facebook Instagram business.instagram.com graph.facebook.com BusinessToolsEntrypoint.instagram BusinessStore.instagram SyncAddMutations
philippeharewood.com · devanshbatham/Awesome-Bugbounty-Writeups · 4 hours ago · details