Yaswanth Mangalagiri

MONEY... MONEY... MONEY... This world is running after MONEY.. Who the hell invented this money?? Now coming to post.... YouTube makes most of the money through subscription and Pay for watching a movie Then came this YouTube PREMIUM. And the endless ads  ON the video,   BEFORE the video starts and  AFTER the video ends and somewhere  BETWEEN the video where you are in the nice mood and completely drenched with the video dialogues and scenes. Per 1000 views The so-called youtubers get paid $6 on average. The pay depends on where the video also pays.  If the video is played in the U.S it gets better payments than it get played in the countries with low economy. I don't want to mention any names because you already know them😀😀..

  Facebook Secrets If you have the opportunity to assgin a role to any FB user for a Page  You have roles like  Admin Editor Moderator Advertiser Analyst If you assinged a User name A with the role of an Admin. He will get a message that you have sent a request to accept the role for the page. If the same user is now changed to Editor then the Uesr A gets a notification that the role is being demoted and needs the approval of his. But if the role is demoted from a Editor to the Advertiser then the user won't get any notification that the Role in the Page is begin modified. How to Publish a Facebook Page ? Suppose you are hte admin of the Page then you would be getting a banner on the top of the Home Page that " The Page isn't visible and you need need to be publshed with a " Publish Button against it. Now you have 2 options to publish the Page 1. You can click on the PUBLISH Page or  2. You can go to the Page Settings > General  In the first option you have Publish

 This is all about the Location of a Facebook Page. Page Moderator can edit the Additional location settings of the Page. The below image shows the Location details of the Page in the Settings. The Location Settings of the Facebook page can be edited only with privileges above the Editor. Here's the HTTP POST request that can edit the Location. POST /api/graphql/ HTTP/1.1 Host:  www.facebook.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1962 Origin:  https://www.facebook.com/ Connection: close Referer:  https://www.facebook.com/888888/page/info/editing/?entry_point=comet&end_point=comet_left_nav_bar&interface=full_page Cookie:**** av=PAGE_ID&__user=88888&__a=1&__dyn=/-*/&__csr=//**-/***-**-2yqqcjyi2-/**-*-**&__req=1g&__beoa=0&__pc=EXP3%3Acomet_pkg&dpr=1&__ccg=GOOD&__rev=100291723

Most of the hackers don't write bounty stories on blog because they are scared that the exploited bug could be used wrongly by other so called white hat hackers to bypass it. One heck of a Story is what I read recently.  One guy found a bug on Facebook that could delete any photo on facebook it was worth $10000 and he wrote about the bug on his site. Then immediately another mediocre hacker read that blog post and he explotied the same bug in a different way and that useless hacker got the same bounty. That's the reason why the top hackers who vigrously earn lot of money through bounty don't post on their cretins blog. Such a narrow minded hackers don't want to help others grow. Totally stupid hackers. Another shade of this story is that the hacker who earned a lot of money was cheated by his own mediocre mistake of exposing the bug and he totally lost $10000 

First Sign into the consle of the Amazon Web Services ( AWS ) and  In the Navigation pane Select ElasticBean Click on Applications and then on the Create Applicataion button and  Name the appliation and click on Create The will create the Application  Now you need to Create the environment. You need to select the Ruby version. I selected 2.6 It is must same as the the Ruby version in your local and the Ruby version on the AWS must be same otherwise it will fail while deploying Also you need check the puma version it must also be that of the AWS.  The PUma version is mentioned in the GEM file of the Rails app. . Leave the rest and now click on Create  Deploying the Application. Go to your Local folder of the Rails project and run eb init on the root of the app. This will create ebbeanstalk environment folder  You will be prompted to use Code Commit  Choose Yes Then run git add  Then you will be prompted to create a repo . Create a new one  Then select the master branch as shown in the i

  Merging Django & React App Production   React App Scenario 1.     In the .env file ·         Add PUBLIC_URL = [s3 url] This will create absolute path of the CSS and JS files in the index.html of the production build, by default it will be relative links. S3 URL is the Amazon S3 Bucket URL 2.      Run npm run build at the root of the React app. This will create a production Build Django App Scenario 1.      pip3 install django-storages (third party app for storage for Django in S3 ) 2.      Add the following in the settings.py ·          Debug = False ·          Add ‘'storages'’ in the INSTALLED_APPS Mention the AWS OPTIONS ·          AWS_S3_REGION_NAME   = "us-east-1" ·          AWS_ACCESS_KEY_ID = "DXS6TUMYE4O3OR" ·          AWS_SECRET_ACCESS_KEY = "rcDeN6/Bxb8R01aRRviD2QP/a" ·          AWS_STORAGE_BUCKET_NAME   = 'lithific-s3-storage' ·          STATICFILES_DIRS = [ os.path.join(BASE_DIR, &q

I don't know what wrong with the Bug bounty programs but I've found that due to this  COVID-19  situations they wantedly closing the reports as duplicates. I reported a bug in the YouTube  Channels. There is an option for the user to set his featured channels to private. Featured channels are meant to be Public actually. Ironic!! there is private button if you visit your Channel's Featured Channels. Visit Channel settings and toggle off the button for the "Customize your Channel". Then, check the tick off the Private button. You see that the Featured channels will not be shown to the users who visit your channel page.  But here's the bug if you keep visiting or reloading the featued channels page. For example this URL :  Load it repeatitively you find your featured channels get disclosed. some times. That's the story of this weired bug.  That's a bummer as reply given by those Google Engineers. This was the second bug that was closed as duplicate. I th

Workplace is Facebook's child.  It has community and within it there could be groups. Now there could be groups that are created outside the community. The Group of Workplace has a feature called Events , that can let its members to create Events as well as edit them.  When a user has created an Event in a Group and later if he is kept in mute, he could change the details like the Name of the Event and locaiton. But while muting a user this is the alert shown in the UI What it says is it only allows to VIEW the group. When it says why it allowed the Group to be edited.. Now, when the same member is muted in the group he can only view the contents in the Group. Here's something which is ironic, THE STATUS. When the event editing isn't allowed the status also must be the same. So, when a user has updated a status in the Group and edits it and captures the HTTP request. THe HTTP Request would be as follows.  POST /webgraphql/mutation/?doc_id=1396480790477967 HTTP/1.1 Host: my.

I've been submitting a couple of bugs that are being found by me in the User's Messengers or a   Facebook Pages 's inbox, the tricky thing from the team is the bugs are not at all getting accepted just because of COVID . One of bugs in my previous post was about the Setting emoji but it was reported as duplicated just because they were already aware or they don't want to get the user's paid and escape the payments as the U.S is already in Depression and because of leadership 😜 Let's get into the bug details.. For users it is  normal for setting nicknames for the friends who are in their chat list. But for  Facebook Pages the option doesn't appear. There is actually no UI for setting the Names for the FB Page. All the options that appear for the Messenger for a normal user are: Setting Emoji Setting Nick Name Setting Theme There are different roles for Facebook Pages : Admin, Editor, Moderator who could access the Page's Inbox. The HTTP Request that is

Reacting to Facebook Messages  An Admin can interact with his Facebook Page through Facebok page's Inbox, there is no UI to react to the messages like HAHA, LOVE etc.  Reply to the messages . You must be knowing about the WhatsApp messenger's Reply feature where you can reply to a particular message. There is something for Facebook messenger too. You can reply to message by hovering over the message and there will be "Reply" option. Click on that.  Now type some random message and click on "Send" and intercept the request. You can find in the HTTP Request that there is a parameter "message_id" in the message body. Change to some other message_id that doesn't belong to chat that you currently opened. Now I sent the request. There was an error that was thrown saying .. "The content is longer available".  Now my next adventure to try to find a bug in the Messaging continues. If you have a conversation with your girlfriend you can alway

Facebook comments doesn't allow you to post same comment all the type and this is the story how I bypassed this spam protection. It was very hot afternoon and I was scrolling the news feed of my Facebook News Feed which is flooded by the posts of the actors and others.  I was continuously posting the video URL of YouTube . Actress and Other Facebook Pages  allow commenting. So when I was commenting the same URL on lot of posts including the actors. Suddenly there was a pop up that was shown saying You can't post at this time and it was going against our terms of service. So I thought in my mind I need to bypass this. I just posted another URL of the video. Now it allowed me to post !!! What a surprise!! It allowed me to post a different URL. I was curious to know why it happened and next I posted the previous URL that I was posting continuosly once again. Again there was an alert popup saying the same message about spam. If you are aware about the Linkshim that facebook uses.

Last Sunday, I was testing for Instagram stories . With two devices one with the Android phone and other was the desktop with Windows OS. User A is on Android Device and User B on Windows. Scenario 1:  Story settings of User A. Who could reply to your stories has 3 options: Your followers. People you follow back No one can reply From User B account. I turned on Web proxy. I opened up the story of the User A who had just posted. Now I start replying to his story and eventually turned on the proxy. I clicked on the  Send  button. I also started to reply to the stories of few celebrities of India, but all good comments.😂 There was a POST HTTP Request that was sent from my browser to the Instagram Servers: POST direct/***//**/send Cookie: ajdslfkjalksdjfl;jasldjflajsdf X-INSTAGRAM-Header: qlwejrjqwejjqw X-CSRF:aljslkjflk;ajsldfj text="USER"&repliedToMedia=[STORY_ID] Now I sent this to repeater. Now with User A's account I changed the se

What is Cross site scripting or XSS? XSS is ranked among the top 3 Web App Vulnerabilities in OWASP . It is basically the injection of Scripts that run on the web, JavaScript(JS). The Scripts are called the Payloads. For example, alert(document.domain) or any inline scripts like <img src=x onerror = alert("XSS exists")> What's the use of XSS? Well, you could steal the cookies of other users. What are Cookies ? Cookies are small piece of data that is sent by the server of the Web Application so that it may know you are an authenticated user. Here is an example of the alert box of the executed JS code. I injected an inline script that you see it as a broken image. Now you Click on the image --> Did your browser prompt an alert box?  Yes.... the script is executed. If you could execute the script you entered. You could inject your own piece of JS scripts inside the web Apps and could do anything with the user account like sending a friend request on

Facebook Business lets you add Ad Account in you account. This bugs lets a facebook ad Account to be added into the Facebook business with public permission for Access Token. To add the Ad Account to your Facbook Business then you need to have permissions of Business and Ad Account for the access token. Once you click on "Confim" button on the dialog window after addding the ID of the Ad Account to add you get the Following HTTP Request intercepted. Then there was a flaw. I tested for the with access token with no permissions or also public profile permissions and found that it actually works and gets the ad account added into the Facebook Business. Bounty $500

Google Pay CSRF vulnerabilty. Google Pay app is service that lets you do payments online using the UPI . But I found in on the Web Application where user can request money from a user. The HTTP Request for the following when a user requets for money is as seen in the image: It contains the HTTP Header that contains the anti-csrf token. I deleted the anti-csrf token and sent the request. After few seconds you get a mail from the victim that has requested money After I submitted the report. I got reply within 24 hours Bounty $500