Hacking Monks
May the bruteforce be with you!
Sunday, July 24, 2022
Facebook Bug POC - Contactpoint Inference through rate-limiting errors
This could have allowed to match if a given phone number or an email address is associated
Tuesday, January 4, 2022
Facebook Bug POC - Determine any Page Admin Role
It was possible for an attacker to determine any Page Admin Role without any interaction
Saturday, January 1, 2022
Facebook Bug POC - Determine Email Address and Phone Number of Users
By following the POC below, it was possible for a hacker to determine if a given Email Address or a Phone Number
Thursday, December 16, 2021
Facebook Bug POC - CSRF renew access to Apps
It was possible for an attacker to renew access to Apps
Thursday, June 10, 2021
Facebook Bug POC - Deleted/Modified User Website info
A depreciated API legacy field "website", when called out on a user node with a whitelisted access token on Graph API,
Wednesday, May 26, 2021
View "Facebook Language" of any Facebook User (NA)
A Facebook Open Graph Object called "locale" is a part of "Localization" on Facebook.
This object can vary from node to node when called on to the servers.
This object can vary from node to node when called on to the servers.
Wednesday, May 5, 2021
Facebook Bug POC - Deleting Friends notifications
Two endpoints performing an Invite and a Removal to add and remove Contributers for Collections were missing rate limiting.
Every Invite would send a notification to that Friend.
Wednesday, April 28, 2021
Facebook Bug POC - Missing rate limit on Device Code verification
Facebook for Devices - Facebook for Devices helps you use your Facebook account to access apps and services on
Wednesday, April 21, 2021
Facebook Bug POC - Admin discloser by "Team members" feature
During content discovery, I was redirected to a page which pushed me to old Facebook UI.
Wednesday, April 14, 2021
Facebook Bug POC - Group Quality Insight
Group Quality Insights - Information of what/when/why Community standards are violated in a group (Includes False News).
Who can see this info - ONLY GROUP ADMINS (Mods excluded).