Archive: Jan 2020

Disclose contact_email of any Facebook application

In Facebook developer application dashboard there is field “contact_email” which means to be secret and use to communication between app admin/developer and Facebook. However, accessing this field using Graph API was secured but changing query field to GraphQL call, I was able to access the Email ID of any Facebook Application. Proof of concept Request: […]

Read More →

Disclose Facebook Business Account ID

Using graph API field “business” on node type “application” to infer Business Account ID that was associated with the Facebook Application. However, the Business account is a public ID and Facebook doesn’t consider it is a privacy risk or security issue. But the bug also was valid as a malicious user can infer asset type […]

Read More →

XSS on Facebook’s acquisition Oculus CDN Server

I would suggest you first to read the previous post here. How I bypassed Facebook CDN content’s signature protection. Oculus acquired by Facebook and Oculus CDN Server is also in the scope of the Facebook Bug Bounty Program. The same bug was present on “oculuscdn.com”. On “oculuscdn.com” the bug was very simple and straightforward. Just […]

Read More →

XSS on Facebook-Instagram CDN Server bypassing signature protection

Facebook and Instagram all photos/videos and more content are stored on their CDN Server. Such one of “*.fbcdn.net” and “*.cdninstagram.com” and they served via various sub-domains. Those all of the photos/videos on CDN Server contain a signature in the URL (various parameters “oh” and “oe” etc), which causes an error to be thrown if we […]

Read More →