| Download predictions details of ads plans of any business. |
|
|
|
| Internal path disclosure in Instagram server |
|
|
|
| View orders and financial reports lists for any page shop. |
|
|
|
| Disclose files content from Facebook internal CDNs |
|
|
|
| Disclose the content of internal Facebook Javascript modules. |
|
|
|
| Bypass password confirmation in Facebook “DYI” feature |
|
|
|
| Export Facebook audience network reports of any business |
|
|
|
| Facebook CSRF protection bypass which leads to Account Takeover |
|
|
|
| Internal paths disclosure due to improper exception handling |
|
|
|
| Leak of private/in-development app ids, names and translation requests |
|
|
|
| Bruteforce Instagram account’s passwords (lack of rate limiting protection). |
|
|
|
| Change payment account of any Facebook commerce page |
|
|
|
| Disclose Instagram business account linked to a Facebook page |
|
|
|
| Disclose page violations and its eligibility to use Ad-breaks |
|
|
|
| Disclose page’s admins and its Monetization payout details |
|
|
|
| Enroll in Facebook Ad-break program without Facebook approval |
|
|
|
| Expose business email and payment account balance of any Facebook commerce page. |
|
|
|
| Generate Access Tokens for any Facebook user |
|
|
|
| Modify users profiles of techprep.fb.com |
|
|
|
| Reveal if a Facebook merchant page has pending or completed orders. |
|
|
|
| Uploading files to api.techprep.fb.com |
|
|
|
| How I was able to generate Access Tokens for any Facebook user. |
|
|
|
writeups.xyz
/
Youssef Sammouda (@Samm0uda)