Researcher Josip Franjković documented multiple race condition vulnerabilities discovered in Facebook, DigitalOcean, and LastPass that allowed attackers to bypass single-action restrictions by sending concurrent requests—including inflating page reviews, creating multiple usernames, and redeeming promo codes multiple times. All bugs were subsequently fixed and disclosed through responsible disclosure timelines.
A comprehensive writeup documenting multiple race condition vulnerabilities discovered across major platforms including Cobalt.io, Facebook, Mega, and Keybase, demonstrating how concurrent requests can bypass security controls for unauthorized financial transactions, account confirmations, and resource redemptions. The article includes detailed exploitation techniques and timelines of responsible disclosure across various bug bounty programs.
A race condition vulnerability in Facebook chat groups allows an attacker to become invisible in group conversations while maintaining full read/write access and the ability to add/remove users without triggering read receipts. By rapidly adding and removing a target user from a group conversation, an attacker can exploit timing flaws to spy on private group messages undetected.