Facebook Secret : Facebook Bug Bounty Page Hack

Facebook Secrets

If you have the opportunity to assgin a role to any FB user for a Page

You have roles like

Admin

Editor

Moderator

Advertiser

Analyst

If you assinged a User name A with the role of an Admin. He will get a message that you have sent a request to accept the role for the page.

If the same user is now changed to Editor then the Uesr A gets a notification that the role is being demoted and needs the approval of his.

But if the role is demoted from a Editor to the Advertiser then the user won't get any notification that the Role in the Page is begin modified.

How to Publish a Facebook Page ?

Suppose you are hte admin of the Page then you would be getting a banner on the top of the Home Page that "

The Page isn't visible and you need need to be publshed with a " Publish Button against it.

Now you have 2 options to publish the Page

1. You can click on the PUBLISH Page or

2. You can go to the Page Settings > General

In the first option you have Publish Page. right on the Home Page

In the second options.There are 2 radio buttons

Publish

UnPublish

and then you need to click on the Save Changes

The I tried both the HTTP Request. But both fail.

You bloody don't try it . You won't get it.

Comments

$1337 YouTube Community (Posts) bug

YouTube Community is a feature that is only available for Channels with 1. Verified Phone numbers 2. A significant history, more content for years. In the early June I started hunting for Security flaws on YouTube I was roaming around the features but most of the places have been found secure or already potential features had the bugs fixes in place. The Community Tab is now Posts So, I thought to exploit Youtube Community feature. I was trying to delete the Posts using IDOR attacks but it didn't work I was tired of trying various attacks but thought to compromise to the least "Privilege escalation". The Security flaw... A user (victim) created a YT Community post, later an attacker while being an Admin of the same Channel has saved the HTTP Request that deletes a Community Post / Poll, then the attacker can replay that HTTP Request after he's demoted from Admin to Subtitle Editor that would delete the Post / Poll. I exploited this flaw I tried after 15 ...

Facebook Bug Bounty $$$$ : Crossposting Live Videos | Facebook Live

In the Facebook Page Settings, you could setup the option for Crossposting Live videos from other pages. The Attacker's page adds a Page (Victim's Page) for crossposting their videos Victim Page's Admin accepts the approval and the default option is Crossposting videos without further approval The Attacker starts live video and selects Victim's Page in the "Crosspost to more pages" Victim visits the Crossposting page in the Page settings and and removes Attacker's Page Attacker selects "Use camera" and clicks on "Go Live". The Victim's Page starts automatically crossposting the live video of Attacker, Bug Bounty of $500

Instagram Reels bug $$$$ Bug Bounty : Making users share unintented reels

This bug is categorised as IDOR. We all share Instagram reels with our friend via DM. Did you every try "Copy link" and share on mediums like WhatsApp or any similar apps ? When you do that, the generated Link would be of the below URL https://www.instagram.com/reels/<REEL_ID>?igsh=<Encrypted> The igsh in the Query params of URL is an encrypted string, that would get decrypted on the Instagram servers to the User's Profile ID. On clicking on the link, it would open the Instagram App and plays the reel and then an interruption will be by a popup like the below screenshot The Attack... Crafting the URL ... If you replace the <Reel_ID> (What the user intended to share) with a <Granphically_Sensitive_Content_REEL_ID> in the link and send it to users, when ever any user opens the link. It would show graphically sensitive content and then a Popup of the victim's profile. Though they didn't intend to share it. Report timeline...

Yaswanth Mangalagiri

Search This Blog