bug-bounty622
facebook466
xss316
google157
microsoft104
rce102
apple62
csrf60
web355
account-takeover53
writeup51
exploit43
sqli41
dos34
ssrf34
cve33
cloudflare32
privilege-escalation29
defi28
malware26
smart-contract-vulnerability25
idor25
node25
subdomain-takeover24
clickjacking23
smart-contract23
ethereum23
access-control21
vulnerability-disclosure21
auth-bypass19
reverse-engineering19
react19
remote-code-execution18
aws18
lfi18
cloud17
cors17
info-disclosure16
oauth16
supply-chain16
race-condition16
docker14
authentication-bypass14
solidity14
browser13
phishing13
denial-of-service11
sql-injection11
delegatecall11
wordpress10
0
vulnerability
Site-wide CSRF vulnerability discovered on Messenger.com where CSRF token (fb_dtsg) validation was completely missing on multiple endpoints, allowing attackers to perform unauthorized actions like changing settings and removing users from group threads. The vulnerability affected all POST requests regardless of whether the token was modified, removed, or omitted entirely.
csrf
cross-site-request-forgery
messenger
facebook
token-validation
security-testing
bug-bounty
web-security
ajax
post-request
messenger.com
Facebook
@phwd
@mazen160
fb_dtsg
XMessengerDotComSettingsEditController