I was actually willing to see my name in this Page of the year 2022. I thought I would miss but anyway I made it at the end of the year by finding this interesting security Bug. So, this bug is found in the Facebook Commerce Page. First, The Page admin creates an Order in the Page Inbox to a user and that sends the order to the User. The Paid checkbox can only be seen ticked when the Admin Marks the Order as paid and the User has no way to hack it. The user can mark only Received but he cannot mark Paid or Dispatched, only the Page admin has the access to do it. So after the admin has maked the order as paid the user will get the option to Mark the order as Received or Dispatched, The HTTP Request while marking the order as RECEVIED would be I observed in the variable parameter in the message body has mark_as_received . What if I replace the received with paid. I created a new order and did that BOOM ! The order is marked as paid in the Page Admin's Inbox Timeline: October,
Hi ! I'm a Sofware Engineer, strive to exploit security flaws only on Tech giants, though all the time my attacks go into the graveyard 😕. Guitar🎸 | Bug Bounty🐞🤑 | Love life