Sunday, July 24, 2022

Facebook Bug POC - Contactpoint Inference through rate-limiting errors

This could have allowed to match if a given phone number or an email address is associated

Tuesday, January 4, 2022

Facebook Bug POC - Determine any Page Admin Role


It was possible for an attacker to determine any Page Admin Role without any interaction

Saturday, January 1, 2022

Facebook Bug POC - Determine Email Address and Phone Number of Users

By following the POC below, it was possible for a hacker to determine if a given Email Address or a Phone Number

Thursday, December 16, 2021

Facebook Bug POC - CSRF renew access to Apps

It was possible for an attacker to renew access to Apps

Thursday, June 10, 2021

Facebook Bug POC - Deleted/Modified User Website info

A depreciated API legacy field "website", when called out on a user node with a whitelisted access token on Graph API,

Wednesday, May 26, 2021

View "Facebook Language" of any Facebook User (NA)

A Facebook Open Graph Object called "locale" is a part of "Localization" on Facebook.

This object can vary from node to node when called on to the servers.

Wednesday, May 5, 2021

Facebook Bug POC - Deleting Friends notifications


Two endpoints performing an Invite and a Removal to add and remove Contributers for Collections were missing rate limiting.

Every Invite would send a notification to that Friend.

Wednesday, April 28, 2021

Facebook Bug POC - Missing rate limit on Device Code verification

A GraphQL call was missing rate limit on verifying login codes for devices.

Facebook for Devices - Facebook for Devices helps you use your Facebook account to access apps and services on

Wednesday, April 21, 2021

Facebook Bug POC - Admin discloser by "Team members" feature

During content discovery, I was redirected to a page which pushed me to old Facebook UI.

Wednesday, April 14, 2021

Facebook Bug POC - Group Quality Insight

Group Quality Insights - Information of what/when/why Community standards are violated in a group (Includes False News).

Who can see this info - ONLY GROUP ADMINS (Mods excluded).