bug-bounty457
google361
microsoft312
facebook268
xss250
apple178
malware176
rce165
exploit140
cve111
account-takeover104
bragging-post101
phishing84
privilege-escalation82
csrf81
supply-chain68
stored-xss65
authentication-bypass63
dos62
browser61
reflected-xss57
react52
cloudflare50
reverse-engineering49
input-validation48
cross-site-scripting48
node47
aws47
access-control47
docker46
smart-contract45
ethereum44
sql-injection43
defi43
ssrf42
web-security42
web342
web-application41
writeup37
oauth37
race-condition36
burp-suite35
vulnerability-disclosure34
idor34
info-disclosure34
cloud33
auth-bypass33
html-injection33
lfi32
smart-contract-vulnerability32
0
7/10
vulnerability
A CSRF vulnerability in Facebook's OAuth Device Login flow allowed attackers to steal user access tokens by exploiting the lack of state parameter protection during the device code verification step. The attack required the victim to have approved an application with device login enabled, making it a conditional but potentially high-impact vulnerability.
Facebook
Josip Franjković
graph.facebook.com
m.facebook.com