Yaswanth Mangalagiri

I was actually willing to see my name in this Page of the year 2022.  I thought I would miss but anyway I made it at the end of the year by finding this interesting security Bug. So, this bug is found in the Facebook Commerce Page.  First, The Page admin creates an Order in the Page Inbox to a user and that sends the order to the User.    The Paid checkbox can only be seen ticked when the Admin Marks the Order as paid and the User has no way to hack it. The user can mark only Received but he cannot mark Paid or Dispatched, only the Page admin has the access to do it. So after the admin has maked the order as paid the user will get the option to Mark the order as Received or Dispatched, The HTTP Request while marking the order as RECEVIED would be  I observed in the variable parameter in the message body has mark_as_received . What if I replace the received with paid. I created a new order and did that BOOM ! The order is marked as paid in the Page Admin's Inbox Timeline: October,

 One million views can make you earn $300 - $ 1000. So what are the deciding factors. Subscribes Total watch hours or minutes Subscriber count

Group Admin invites the User with link.   The User opens the discussion page and sees the Join Group Button  user will request to join the group and his request will be declined After the user reloads the page he'll be shown with No Content  page. But the user can send a request to join from the Discussion page.  

 Page editor cannot see the crossposting Page in the Page Settings. But he can use a HTTP Post Request to send an invitation

There's an annoying feature on Youtube it's called End Screen. When the video is about to end there would be thumbnails of videos that occupy the entire video, giving you a bad experience.  The End screen of any video can be crafted from YouTube Studio The End Screen button opens up a popup that displays radio button, that lets you choose a video that is in your uploaded vidoes.  If you video is private, it shows that The video is private and will be replace with some other video. Now if the video is unlisted it allows you to happily add it in the end screen without notifying that it's an unlisted Video.

Your requests seem to be a success but what happens if the totally out of the world scenarios. Don't get fooled by the 200 OK response for Insecure direct object reference.