Rohit Kumar (@Rohitcoder)

Title	Vulnerabilities	Programs	Authors
CSRF from which we can create a support ticket in Victim’s Account (500$)	CSRF	Meta / Facebook	Rohit Kumar (@Rohitcoder)
Victim’s Anti CSRF Token could be exposed to Third-party Applications installed on user’s Device (500$)	Information Disclosure	Meta / Facebook	Rohit Kumar (@Rohitcoder)
Page shops with a hidden Product in “Featured product section” which could be controlled by attacker (Ex Editor).	Logic Flaw	Meta / Facebook	Rohit Kumar (@Rohitcoder)
[IDOR] Delete saved credit cards from any Business Manager Account — Facebook Bug Bounty	IDOR	Meta / Facebook	Rohit Kumar (@Rohitcoder)
Private Dashboards were accessible by other Admins in Analytics Dashboard	Broken Authorization	Meta / Facebook	Rohit Kumar (@Rohitcoder)
Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts.	Broken Authorization	Meta / Facebook	Rohit Kumar (@Rohitcoder)
ByPassing fix of Domain Blocking feature in Business Manager	Broken Authorization Logic Flaw	Meta / Facebook	Rohit Kumar (@Rohitcoder)
Business user Employees could have applied block list to all ad accounts listed in the business manager.	Broken Authorization Logic Flaw	Meta / Facebook	Rohit Kumar (@Rohitcoder)
User Account Takeover [Password Change]— Nice Catch!	Account Takeover Password Reset	Undisclosed	Rohit Kumar (@Rohitcoder)
Stored XSS on Edmodo	Stored XSS	Edmodo	Rohit Kumar (@Rohitcoder)
Facebook/Workplace Bug Exposed Offsite Employee Events, Sensitive emails Putting Employees at Risk	Information Disclosure	Meta / Facebook	Rohit Kumar (@Rohitcoder)
Object name Exposure — ING Bank Responsible Disclosure Program	Information Disclosure	ING Bank	Rohit Kumar (@Rohitcoder)
Facebook Bug Bounty: Email Id, Phone Number Can be exposed Through Business Manager	Logic Flaw Information Disclosure	Meta / Facebook	Rohit Kumar (@Rohitcoder)

Page 1 of 1