Collection of Facebook Bug Bounty Writeups
Inspired from xdavidhu & 1hack0 this is a repo which contains Facebooks Updated BugBounty Writeups.
Contributing:
If you have/know of any Facebook writeups not listed in this repository, feel free to open a Pull Request. Please try to sort the writeups by publication date.
The template to follow when adding new writeups:
- **[MONTH DAY - $BOUNTY]** [TITLE](URL) by [NAME](TWITTER_URL)
If the bounty amount is not available, write $???
.
If no Twitter account is available, try finding something similar, like other social media page or website.
Writeups
2021:-
- [Oct 24 – $???] Tagged User Could Delete Facebook Story by Mark Rhoy
- [Oct 22 – $???] Unauthorized access to any Facebook user’s draft profile picture frames by Sandeep Hodkasia
- [Sep 29 – $10,000] Malicious Android Applications can takeover Facebook/Workplace accounts by Samm0uda
- [Sep 29 – $500] Force Browsing bug at Facebook business plan by Dewanand Vishal
- [Sep 23 – $725] Messenger for MacOS contained hardcoded FB token by Dzmitry
- [Sep 15 – $18,250] A Facebook bug that exposes email/phone number to your friends by Saugat Pokharel
- [Sep 08 – $???] Facebook email disclosure and account takeover by Rikesh Baniya
- [Sep 03 – $126,000] Tale of Account Takeovers by Samm0uda
- [Sep 01 – $1,000] Bypassing 2-Factor Authentication for Facebook Business Manager by Shubham Bhamare
- [Aug 22 – $???] IDOR enables Allow Facebook stories shared from Instagram by Mohamed Laajimi
- [Aug 18 – $3,449] Confirming any new Email Address by Lokesh Kumar
- [Aug 02- $???] Facebook Messenger indirect thread deletion by Rahul Kankrale
- [July 30 – $???] Request Review on behalf of other pages (no role in the page) in Account Quality by Sarmad Hassan
- [July 29 – $3,000] Expose Group Member by Muhammad S
- [July 24 – $1,000] Not valid bug that leads to us a multiple Valid Report by Kntjrld
- [July 23 – $500] Admin of group chat cannot remove deactivate user by Aashish Jung Kunwar
- [July 17 – $1,500] Removing Document Cover by Muhammad S
- [July 12 – $500] Linkshim Bypass by Anthony Richa
- [July 10 – $???] Facebook Email/phone disclosure using Binary search by Rikesh Baniya
- [June 27 – $500] Oversightboard.com site-wide CSRF by Samm0uda
- [June 27 – $500] Disclose unconfirmed email/phone of a Facebook user by Samm0uda
- [June 15 – $30,000] I was able to see Private, Archived Posts/Stories of users on Instagram by Mayur Fartade
- [June 13 – $15,500] User’s location diclosure in the Nearby Friends by Yavor Rusev
- [June 06 – $3000] How I could have accessed all your private videos/photos saved inside your device by Samip Aryal
- [May 31 – $???] Facebook Page Admin Disclosure by Kunjan Nayak
- [May 23 – $???] Disclose leads form details of any Facebook Business Account by Amine Aboud
- [May 22 – $500] Crossposting Live Videos by Yaswanth Mangalagiri
- [May 21 – $500] CSRF from which we can create a support ticket in Victim’s Account by Rohit kumar
- [May 21 – $500] Victim’s Anti CSRF Token could be exposed to Third-party Applications by Rohit kumar
- [May 20 – $ 1000] Third-Party Apps were still getting your private Facebook data by Samip Aryal
- [May 20 – $ 537] Instagram Live setting bug by Takashi Suzuki
- [May 20 – $12,000] Oculus SSO bug leads to account takeover on third party websites by Samm0uda
- [May 11 – $9,600] Instagram Reflected XSS by Samm0uda
- [May 10 – $500] Undeletable Messenger Room by SndpGiri
- [May 06 – $9,000] Identify a Facebook user by his phone number by Samm0uda
- [May 06 – $27,000] Unauthorized access to companies environment by Marcos Ferreira
- [May 04 – $18,000] Account takeover of accounts due to unrestricted permissions by Samm0uda
- [May 04 – $3,000] Disclose other user followers by Pratik Timilsina
- [May 01 – $500] Hijack Facebook user due to broken link on Facebook shop feature on IOS Facebook APP by SndpGiri
- [Apr 30 – $ 30,000] Facebook account takeover due to unsafe redirects by Samm0uda
- [Apr 26 – $ 6,000] Download Facebook internal mobile builds by Philippe Harewood
- [Apr 18 – $ 14,000] Remove any Facebook’s live video by Ahmad Talahmeh
- [Apr 17 – $ 1,000] Comment Goes From Page Profile Instead of Personal Profile by Aashish Kunwar
- [Apr 01 – $ 30,000] Facebook account takeover due to a wide platform bug in ajaxpipe responses by Samm0uda
- [Apr 01 – $ 12,000] Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow by Samm0uda
- [Mar 19 – $ 54,800] How I hacked Facebook: Part Two by Alaa Abdulridha
- [Mar 16 – $ 1,000] VOICE CONFUSION WHEN COMMENTING ON WATCH PARTY by Prakash Panta
- [Mar 16 – $ 9,000] Facebook Group Members Disclosure by Baibhav Anand Jha
- [Mar 04 – $ 500] Low hanging fruits on Facebook Group Room by Randy Arios
- [Mar 03 – $ 500] THE INVINCIBLE KID by Samip Aryal
- [Feb 28 – $ ???] Join Facebook Group With Unpublish Page by Gevakun
- [Feb 27 – $ ???] Disclose hidden Product Images by featuring a non-owned collection by Bassem Bazzoun
- [Feb 18 – $ ???] Open redirect in www.oversightboard.com by Sarmad Hassan
- [Feb 18 – $ 500] Expose Facebook object type by Samm0uda
- [Feb 18 – $ 3,600] Expose information about Partner accounts by Samm0uda
- [Feb 18 – $ 500] Ability to find Facebook employee’s test accounts by Samm0uda
- [Feb 18 – $ 500] Disclose internal CMS objects content by Samm0uda
- [Feb 18 – $ 500] Determine admin email addresses of Partners portal account by Samm0uda
- [Feb 18 – $ 500] XSS in Facebook CDN by Samm0uda
- [Feb 17 – $ 500] Dangling DNS Records on api.techprep.fb.com by Binit Ghimire
- [Feb 17 – $ 4,800] Enumerate internal cached URLs which lead to data exposure by Samm0uda
- [Feb 17 – $ 2,000] Leaking Facebook user information to external websites by Samm0uda
- [Feb 17 – $ 500] Open redirect in Instagram.com by Samm0uda
- [Feb 17 – $ 1,500] Access private information about SparkAR effect owners who has a publicly viewable portfolio by Samm0uda
- [Feb 17 – $ 3,000] Make recruiting referrals on behalf of employees by Samm0uda
- [Feb 15 – $ 500] Leak of internal categorySets names and employees test accounts. by Samm0uda
- [Feb 15 – $ 1,000] Delete linked payments accounts of a Facebook page (or user) by Samm0uda
- [Feb 15 – $ 12,500] Access files uploaded by employees to internal CDNs / Regenerate URL signature of user uploaded content. by Samm0uda
- [Feb 15 – $ 500] URLs in img tag aren’t passed through safe_image.php which lead to exposure of Facebook users IPs. by Samm0uda
- [Feb 15 – $ 500] View orders and financial reports lists for any page shop by Samm0uda
- [Feb 10 – $ ???] Sending ephemeral message to any Facebook user by Rahul Kankrale
- [Feb 03 – $ 2,000] Facebook Messenger Desktop App Arbitrary File Read by Renwa
- [Feb 02 – $ ???] Access developer tasks list of any Facebook Application by Amine Aboud
- [Feb 02 – $ ???] Create a block list in brand safety on behalf of any other user by Sarmad Hassan
- [Jan 28 – $ 4,000] Launching Internal & Non-Exported Deeplinks by Ashley King
- [Jan 14 – $ 1,000] Irremovable Facebook group album photos by Shubham Bhamare
- [Jan 08 – $ 30,000] Create post on any Facebook page by Pouya Darabi
- [Jan 08 – $ ???] Facebook: Linkshim protection bypass using fb://webview by Rahul Kankrale
- [Jan 04 – $ 5,000] Bypass of a FaceBook Page Admin Disclosure by Shubham Bhamare
- [Jan 03 – $ 5,000] Expose the email address of Workplace users by Samm0uda
- [Jan 01 – $ 30,000] XSS on forums.oculusvr.com by Samm0uda
- [Jan 01 – $ 500] Clearing tournament match score as participant by Rony K Roy
2020:-
- [Dec 31 – $ 10,000] Account takeovers in third party websites by Samm0uda
- [Dec 31 – $ 500] Blocked fundraiser organizer unable to remove themseleves by Vivek PS
- [Dec 26 – $ 1,500] Facebook page admin disclosure by “Message Seller” by Shubham Bhamare
- [Dec 20 – $ 13,125] How I was able to view anyone’s private email and birthday by Saugat Pokharel
- [Dec 19 – $ 1,000] Finding the hidden members of the private events by Vivek PS
- [Dec 12 – $ 5,000] Confirm an email address belonging to a specific user by Abdellah Yaala
- [Dec 11 – $ 7,500] How I hacked Facebook: Part One by Alaa Abdulridha
- [Nov 13 – $ 10,000] Facebook SSRF by Amine Aboud
- [Nov 13 – $ 500] Replying Comments On Someone’s LiveStream From Page is Posted as Personal Identity by Prakash Panta
- [Nov 13 – $ 16,125] How I Found The Facebook Messenger Leaking Access Token Of Million Users by Guhan Raja
- [Nov 13 – $ 500 ] Commenting on a post by opening it via page’s news-feed goes from a wrong actor by Samip Aryal
- [Nov 13 – $ 500] User’s private videos/saved videos exposed through a messenger call from a locked smartphone. by Samip Aryal
- [Nov 10 – $ 1500] Facebook iOS address bar spoofing by Rahul Kankrale
- [Nov 07 – $ 25,000] Facebook DOM Based XSS using postMessage by Samm0uda
- [Nov 04 – $ 10,750] Delete Any Photos In Facebook by Lokesh Kumar
- [Nov 02 – $ 4838] Reveal the page admin that uploaded a video on the page in comment section by Lokesh Kumar
- [Oct 30 – $ ???] Ability To Backdoor Facebook For Android by Ash King
- [Oct 21 – $ 2000] Perform substring search for emails even if Workplace admin hides email profile field. by Rahul Kankrale
- [Oct 21 – $ 3000] Facebook Page Admin Disclosure by Rahul Kankrale
- [Oct 12 – $ 500] Disclose Emails, phone numbers, more For Facebook users who tried to add funds to their account by Mustafa Ahmed
- [Oct 05 – $ 500] Easy wins : verbose error worth Facebook HOF by Mukul Lohar
- [Oct 02 – $ 10,000] Arbitrary code execution on Facebook for Android through download feature by Mukul Lohar
- [Sep 30 – $ ???] Story of a weird vulnerability I found on Facebook by Amine Aboud
- [Sep 15 – $ ???] How I Accidentally Got My First Bounty From Facebook by Bishal Shrestha
- [Sep 12 – $ ???] How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM by Orange Tsai
- [Aug 18 – $ 500] How could I Tag Photo to any user’s Scrapbook on Facebook by Raja Sudhakar
- [Aug 14 – $ 6,000] Deleted data stored permanently on Instagram? Facebook Bug Bounty 2020 by Saugat Pokharel
- [Aug 11 – $ ???] Group Admin Can’t Able to Moderate Comments by Prakash Panta
- [Aug 10 – $ ???] My 2nd 4digit Bug Bounty From Facebook by Sudip Shah
- [Aug 08 – $ 500] Reflected XSS in Facebook’s mirror websites by Sudhanshu Rajbhar
- [July 30 – $ ???] Weird Behavior of Facebook Page FAQ Leading to Bounty from Facebook by Ashok Chapagai
- [July 27 – $ ???] Disclose content of internal Facebook javascript modules by Samm0uda
- [July 17 – $ ???] Story Of 4 digit bounty by Sudip Shah
- [July 02 – $ 1500] Browser Anamoly by easySIEM
- [July 02 – $ 5500] Admin disclosure of Facebook verified pages by Samm0uda
- [June 25 – $ ???] Hidden Comments by Saugat Pokharel
- [June 21 – $ ???] XSS-On-Facebook by Bipin Jitiya
- [June 20 – $ 1500] Information Disclosure On Facebook by Alaa Abdulridha
- [June 18 – $ ???] Page-Admin-Disclosure by Saugat Pokharel
- [June 14 – $ ???] Privilege escalation in Partners Portal to Admin access by Samm0uda
- [June 14 – $ ???] Disclose the Instagram account linked to a Facebook user account or page by Samm0uda
- [June 14 – $ ???] Internal directories enumeration in www by Samm0uda
- [June 05 – $ ???] Delete saved credit cards from any Business Manager Account by Rohit kumar
- [June 02 – $ 10000] Another image removal vulnerability on Facebook by Pouya Darabi
- [May 28 – $ ???] How I made $31500 by submitting a bug to Facebook by Bipin Jitiya
- [May 28 – $ ???] How I was able to see Private Video Uploader Via Facebook Rights Manager by Kishore TK
- [May 21- $ ???] Cannot Revoke Session on Messenger for Kids by Saugat Pokharel
- [May 21 – $ ???] Bypassing Message Request inbox by Abdellah Yaala
- [May 20 – $ ???] Change any link at https://fbwat.ch/ by Philippe Harewood
- [May 20 – $ 7500] Become member of close & public group by abdellah yaala
- [May 18 – $ 1500] FB & Messenger for iOS : Address Bar spoofing using data uri by Rahul Kankrale
- [May 12 – $ 750] Change the profanity filter for any Facebook page by Philippe Harewood
- [May 07 – $ 20000] $20000 Facebook DOM XSS by Vinoth Kumar
- [May 02 – $ ???] Private Dashboards were accessible by Rohit kumar
- [May 02 – $ ???] Exposure of Facebook object type by knowing the object ID by Samm0uda
- [May 02 – $ ???] Add draft subtitles to any Facebook video and Full Path Disclosure by Samm0uda
- [Apr 16 – $ 750] Recieving instagram notifications after Logout by Jane Manchun Wong
- [Apr 04 – $ ???] Cannot Delete Post on Facebook Group: Facebook Bug Bounty by Saugat Pokharel
- [Apr 01 – $ ???] The story of my first ever, $xxxx by Ashok Chapagai
- [Mar 14 – $ ???] Blocked User Can Send Notification Due to Logical Bug by Divyanshu Shukla
- [Mar 13 – $ ???] Generate valid signatures for FBCDN urls by Philippe Harewood
- [Mar 11 – $ ???] Generate valid signatures for files hosted in Facebook CDNs by Samm0uda
- [Mar 11 – $ ???] Ability to bruteforce Instagram account’s password due to lack of rate limitation protection by Samm0uda
- [Mar 01- $ 55,000] Facebook OAuth Framework Vulnerability by Amol Baikar
- [Feb 29 – $ 3000] Page Admin Disclosure via an Upgraded Page Post by dw1
- [Feb 28 – $ 12,500] Facebook CSRF bug which lead to Instagram Partial account takeover. by Samm0uda
- [Feb 17 – $ 500] Open-redirect Vulnerability on Facebook by Ashok Chapagai
- [Feb 08 – $ ???] Determine users with detailed role model on behalf of any Facebook Application by Amol Baikar
- [Feb 04 – $ ???] Allowing Read From The File System Access by Ashok Chapagai
- [Feb 02 – $ ???] Disclose Full Admin List of any Facebook Applications by Amol Baikar
- [Jan 26 – $ ???] XSS on Facebook-Instagram CDN Server bypassing signature protection by Amol Baikar
- [Jan 26 – $ ???] Disclose Facebook Business Account ID by Amol Baikar
- [Jan 26 – $ ???] XSS on Facebook’s acquisition Oculus CDN Server by Amol Baikar
- [Jan 23 – $ 12,500] Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover by Samm0uda
- [Jan 22 – $ 500] Facebook Vulnerability: Hidden “Community Manager” in Pages due to “Invitation Accept” logic by Ritish Kumar Singh
2019:
- [Dec 29 – $ ???] Information Disclosure Bug by Circle Ninja
- [Dec 26 – $ ???] Bypassing Brand Collabs Manager Eligibility on Facebook by Ajay Gautam
- [Dec 13 – $ ???] Facebook New Account Verification Bypass by Santosh Baral
- [Dec 09 – $ 3,000] Media deletion CSRF vulnerability on Instagram by Pouya Darabi
- [Nov 27 – $ 5,000] Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge by Samm0uda
- [Nov 21 – $ 1,000] Disable Any Unconfirmed Account in Facebook by Lokesh Kumar
- [Nov 20 – $ ???] Delete Facebook Ask for Recommendations post’s place objects in comments by Raja Sudhakar
- [Nov 19 – $ ???] Disclose the owner of a recruiting manager in Jobs Beta by Philippe Harewood
- [Nov 16 – $ ???] View the ranked messenger users for any page by Philippe Harewood
- [Oct 30 – $ 500] Live Video facebook application (Android) its not expired when log out by Naufal Septiadi
- [Oct 28 – $ ???] Crash web — app through application form of job application pages by TienDat
- [Oct 24 – $ 1,500] Session Expiration Bypass in Facebook Creator App by Philippe Harewood
- [Oct 22 – $ 3,000] Disclose members in any closed Facebook group by Ahmad Talahmeh
- [Oct 17 – $ ???] 1-800-Flowers Credentials and message log leak via facebook.com/facebook by Philippe Harewood
- [Oct 15 – $ 500] Disclosure the verified phone number in Checkpoint. by TienDat
- [Oct 12 – $ ???] Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts. by Rohit kumar
- [Sep 21 – $ 500] Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public by Guhan Raja
- [Sep 20 – $ ???] Business ID leak via Creative Hub redirect by Philippe Harewood
- [Sep 13 – $ ???] How two dead accounts allowed remote crash of any instagram android user by Valbrux
- [Sep 12 – $ ???] Facebook employee internal tool and conversations leaked in Facebook video by Philippe Harewood
- [Sep 12 – $ ???] Add users to roles on Facebook pages without an invitation consent by Philippe Harewood
- [Sep 10 – $ ???] Subscribe to the list of requesters to join a Facebook live video using MQTT by Philippe Harewood
- [Sep 09 – $ 750] Oculus identity verification bypass through brute-force by karthik kumar reddy
- [Sep 02 – $ 1,000] HTML to PDF converter bug leads to RCE in Facebook server by Samm0uda
- [Aug 26 – $ 10,000] How I Hacked Instagram Again by Laxman Muthiyah
- [Aug 24- $ ???] Create living room polls as a Facebook page analyst by Philippe Harewood
- [Aug 22 – $ ???] Rights Manager Graph API Disclosure of business employee to non business employee by Jafar_Abo_Nada
- [Aug 21 – $ 500] Instagram account is reactivated without entering 2FA ($500) by Philippe Harewood
- [Aug 21 – $ ???] Sending Message as page being an analyst/ advertiser by Baibhav Anand
- [Aug 19 – $ ???] Facebook Bug Bounty: Reading WhatsApp contacts list without unlocking the device by Arvind
- [Aug 19 – $ 2,500] Removing profile pictures for any Facebook user by Philippe Harewood
- [Aug 18 – $ ???] Add users to roles on Facebook pages without an invitation consent (revisited) by Philippe Harewood
- [Aug 15- $ ???] ByPassing fix of Domain Blocking feature in Business Manager by Rohit kumar
- [Aug 15 – $ ???] Facebook Messenger exposing deleted messages using by Renwa
- [Aug 01 – $ ???] Download predictions details of ads plans of any business. by Samm0uda
- [Aug 01 – $ ???] Internal path disclosure in Instagram server by Samm0uda
- [Aug 01 – $ ???] Access portal of Facebook mobile retailers and see earnings and referrals reports. by Samm0uda
- [Aug 01 – $ ???] View orders and financial reports lists for any page shop by Samm0uda
- [July 26- $ ???] Instagram bug disclosing user’s phone number via checkpoint by Bijan Murmu
- [July 21 – $ ???] Subscribe to typing notifications for any Instagram user by Philippe Harewood
- [July 20 – $ ???] Get Page Inbox notifications for any Facebook page by Philippe Harewood
- [July 17 – $ 500] How Recon helped me to to find a Facebook domain takeover by Sudhanshu Rajbhar
- [July 16 – $ 3,000] CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook by Lokesh Kumar
- [July 15 – $ ???] Sending messages as a page with jobmanager permission by Devansh batham
- [July 14 – $ 30,000] How I Could Have Hacked Any Instagram Account by Laxman Muthiyah
- [July 12 – $ 500] Facebook Bug bounty page admin disclose bug by Yusuf Furkan
- [July 04 – $ 2000] This is how I managed to win $2000 through Facebook Bug Bounty by Saugat Pokharel
- [July 04 – $ 500] Unremovable Co-Host in facebook page events by Ritish Kumar Singh
- [June 28 – $ ???] Page admin disclosure by Bijan Murmu
- [June 26 – $ ???] Toggle Group Rules Agreement as a non-member by Philippe Harewood
- [June 24 – $ ???] Download .arexport files for any public AR Studio Effect by Philippe Harewood
- [June 22 – $ ???] Page Admin Disclosure by Ajay Gautam
- [June 17 – $ 500] Business user Employees could have applied block list to all ad accounts listed in the business manager. by Rohit kumar
- [June 11 – $ 1,500] Facebook Vulnerability: Non-unfriendable user in /hacked workflow by Ritish Kumar Singh
- [May 27- $ ???] View Facebook payouts for any Facebook Trivia Game by Philippe Harewood
- [May 25 – $ ???] Disclose files content from Facebook internal CDNs by Samm0uda
- [May 22 – $ 1,000] Determine a Facebook user from an email address by Philippe Harewood
- [May 17 – $ 500] Bypassing Instagram’s stories restriction by Baibhav Anand
- [Apr 30 – $ 3,000] Facebook’s URL spoofing vulnerability by Rahul Kankrale
- [Apr 23 – $ 5,000] Facebook’s Burglary Shopping List by Philippe Harewood
- [Apr 22 – $ ???] Disclose the content of internal Facebook Javascript modules. by John Moss
- [Apr 02 – $ 1,000] Hiding from Facebook Page Admin(s) in /hacked workflow by Ritish Kumar Singh
- [Apr 01 – $ ???] How I was able to get your facebook private friend list by Raja Sekar Durairaj
- [Mar 24 – $ 500] Facebook Marketing Confidential Call Transcript by Philippe Harewood
- [Mar 19 – $ 10,000] Denial of service in Facebook Fizz due to integer overflow by kevin_backhouse
- [Mar 19 – $ 750] DoS Across Facebook Endpoints by Max Pasqua
- [Mar 16 – $ 4,000] Disclosure of Pending Roles for any Facebook Page by Avinash Kumar
- [Mar 11 – $ 1,000] CVE-2018-16794 on fs.thefacebook.com by Philippe Harewood
- [Mar 07 – $ ???] Mapping Communication Between Facebook Accounts Using a Browser-Based Side Channel Attack by Ron Masas
- [Mar 06 – $ ???] Facebook Messenger server random memory exposure through corrupted GIF image by Dzmitry Lukyanenka
- [Mar 05 – $ 1,000] Facebook exploit – Confirm website visitor identities by Tom Anthony
- [Feb 16 – $ ???] Bypass password confirmation in Facebook “DYI” feature by Samm0uda
- [Feb 16 – $ 1,000] Bug Exposed Offsite Employee Events, Sensitive emails Putting Employees at Risk by Rohit kumar
- [Feb 14 – $ ???] Third Party Android App Storing Facebook Data Insecurely by Nightwatch Cybersecurity
- [Feb 13- $ 15,000] Disclose private attachments in Facebook Messenger Infrastructure by Sarmad Hassan
- [Feb 12 – $ 25,000] Facebook CSRF protection bypass which leads to Account Takeover by Samm0uda
- [Feb 12 – $ ???] Export Facebook audience network reports of any business by Samm0uda
- [Feb 07 – $ ???] Internal paths disclosure due to improper exception handling by Samm0uda
- [Feb 07 – $ ???] Leak of private/in-development app ids, names and translation requests by Samm0uda
- [Jan 25 – $ ???] Facebook Change Product Availability as a PageAnalyst by onehackzero
- [Jan 22 – $ ???] Enroll in Facebook Ad-break program without Facebook approval by Samm0uda
- [Jan 22 – $ ???] Disclose page’s admins and its Monetization payout details by Samm0uda
- [Jan 22 – $ ???] Disclose page violations and its eligibility to use Ad-breaks by Samm0uda
- [Jan 22 – $ ???] Disclose Instagram business account linked to a Facebook page by Samm0uda
- [Jan 22 – $ ???] Change payment account of any Facebook commerce page by Samm0uda
- [Jan 22 – $ ???] Expose business email and payment account balance of any Facebook commerce page. by Samm0uda
- [Jan 22 – $ ???] Reveal if a Facebook merchant page has pending or completed orders by Samm0uda
- [Jan 22 – $ ???] Lack of rate limiting protection by Samm0uda
- [Jan 22 – $ ???] Generate Access Tokens for any Facebook user by Samm0uda
- [Jan 22 – $ ???] Modify users profiles of techprep.fb.com by Samm0uda
- [Jan 22 – $ ???] Uploading files to api.techprep.fb.com by Samm0uda
- [Jan 15 – $ 500] Unremovable facebook group admin by Ritish Kumar Singh
- [Jan 13 – $ ???] Hack Your Form – New vector for Blind XSS by Youssef A. Mohamed
- [Jan 11 – $ ???] Workplace Logo ID to workplace owner name Disclosure Facebook Bug Bounty by Ajay Gautam
- [Jan 11 – $ ???] Facebook PageAnalyst Could Add oneself as Moderator on Group by onehackzero
- [Jan 08 – $ ???] View the contact list for a Messenger Kid as a parent-approved contact by Ash King
- [Jan 05 – $ 750] Facebook Android Application by Ash King
- [Jan 04 – $ 1,000] Stealing Side-Channel Attack Tokens in Facebook Account Switcher by Max Pasqua
2018:
- [Oct 09 – $ ???] Facebook-Business-Takeover by Philippe Harewood
- [Aug 22 – $ ???] Send-Payment-Invoices-As-Any-Facebook-Page by Philippe Harewood
- [Aug 09 – $ 5,000] Remote Code Execution on a Facebook server by Sec team
- [Jul 24 – $ ???] Disclose-Page-Admins-Via-Gaming-Dashboard-Bans by Philippe Harewood
- [Jul 18 – $ ???] Determine-Members-In-A-Closed-Facebook-Group by Philippe Harewood
- [Jul 12 – $ ???] Application-Secret-Embedded-In-Login-Flow-For-Facebook-Swag-Store by Philippe Harewood
- [Jun 13 – $ ???] Disclose-Page-Admins-Via-Job-Source-Recruiter-Requests by Philippe Harewood
- [May 23 – $ 500] Toggling comment option of a post in a linked group as an analyst. by asad0x01
- [May 17 – $ 750] Make products Out of Stock in Facebook Pages by Neeraj Gopal
- [Apr 01 – $ 500] Leaking of page store details by Neeraj Gopal
- [Mar 31 – $ 3000] Setting up tests for any App by Neeraj Gopal
- [Mar 27 – $ ???] Disclose-Page-Admins-Via-Watch-Parties-In-A-Facebook-Group by Philippe Harewood
- [Mar 16 – $ 1000] See unpublished jobs of any page. by asad0x01
- [Mar 16 – $ ???] View-Facebook-Friends-For-Any-User by Philippe Harewood
- [Mar 15 – $ ???] Disclose-Facebook-Page-Admins-Via-Facebook-Camera-Effects by Philippe Harewood
- [Mar 16 – $ ???] View-Private-Instagram-Photos by Philippe Harewood
- [Mar 13 – $ ???] View-The-Facebook-Stories-For-Any-Media-Effect by Philippe Harewood
- [Mar 10 – $ ???] Access to FBConnections by Philippe Harewood
- [Feb 24 – $ 1,500] How I was able to delete any image in Facebook community by Sarmad Hassan
- [Feb 23 – $ ???] Disclose-Facebook-Page-Admins-In-3d by Philippe Harewood
- [Feb 21 – $ ???] Change-The-Background-Of-3d-Posts-For-Any-Facebook-User by Philippe Harewood
- [Feb 11 – $ ???] Create-Learning-Units-For-Any-Group by Philippe Harewood
- [Jan 22 – $ ???] Path-Disclosure-In-Instagram-Ads-Graphql by Philippe Harewood
- [Jan 16 – $ ???] View-The-Vr-Experiences-For-Any-Oculus-User by Philippe Harewood
- [Jan 15 – $ ???] View-The-Email-Subscriptions-For-Any-Oculus-User by Philippe Harewood
- [Jan 15 – $ ???] View-The-Bug-Subscriptions-For-Any-Oculus-User by Philippe Harewood
- [Jan 10 – $ ???] Unintended-Control-Over-The-Email-Body-In-Partner-Integration-Email-Instructions/ by Philippe Harewood
- [Jan 05 – $ ???] Disclose-Page-Admins-Via-Our-Story-Feature by Philippe Harewood
2017:
- [Dec 26 – $ ???] Facebook-Ad-Spend-Details-Leaking-For-Facebook-Marketing by Philippe Harewood
- [Dec 21 – $ ???] Searching-Internal-Gatekeeper-Constants by Philippe Harewood
- [Oct 24 – $ ???] Make-Recruiting-Referrals-On-Behalf-Of-Facebook by Philippe Harewood
- [Oct 26 – $ ???] Posting-Gifs-As-Anyone-On-Facebook by Philippe Harewood
- [Oct 11 – $ ???] View-Former-Members-Of-A-Facebook-Group by Philippe Harewood
- [Oct 08 – $ ???] Facebook-Graphql-Csrf by Philippe Harewood
- [Sep 18 – $ ???] Disclose-Users-With-Roles-On-Facebook-Pages by Philippe Harewood
- [Aug 24 – $ ???] Facebook-Stories-Disclose-Facebook-Friend-List by Philippe Harewood
- [May 11 – $ ???] Find-Mingle-Suggestions-For-Any-Facebook-User-Revisited by Philippe Harewood
- [May 08 – $ ???] Determine-A-User-From-A-Private-Phone-Number by Philippe Harewood
- [Mar 24 – $ ???] Find-Instagram-Contacts-For-Any-User-On-Facebook by Philippe Harewood
- [Feb 02 – $ ???] Find-Mingle-Suggestions-For-Any-Facebook-User by Philippe Harewood
- [Jan 20 – $ ???] Delete-A-Hotel-Object-From-A-Facebook-Product-Catalog by Philippe Harewood
- [Jan 04 – $ ???] See-If-Any-Facebook-User-Is-Marked-In-A-Crisis by Philippe Harewood
- [Jan 04 – $ ???] Order-Facebook-Friends-By-Facebook-Recruiting-Technical-Coefficient by Philippe Harewood
Leave a Reply