Facebook Bug Bounty Writeups collected from all over the internet.
1-800-Flowers Credentials and message log leak via facebook.com/facebook
Ability to invite any user to a Facebook page (all non-friends)
Abusing Facebook Graph Search using GraphQL
Ability to upload HTML via SRT caption files for Facebook Videos
Access lead forms for any Facebook Page
Add a user to the list of Facebook Contacts
Add any Facebook user (non-friend) to Slingshot without knowing the username
Add users to roles on Facebook pages without an invitation consent
Add users to roles on Facebook pages without an invitation consent (revisited)
Ads API Error leads to Ad account ID being leaked from the legacy account ID
Break the Facebook Page Icebreaker FAQ feature for any page admin using React sanitizeURL()
Application secret embedded in login flow for Facebook Swag Store
Business ID leak via Creative Hub redirect
Bypass Disabled Client OAuth Login in Facebook Pages Manager App
Bypassing appsecret_proof verification
Bypassing posting to friends’ timelines restriction (Revisited in photos)
Bypassing posting to friends’ timelines API restriction
Bypassing posting to friends’ timelines restriction (Revisited)
Change any link at (https://fbwat.ch/
Change the background of 3D posts for any Facebook user
Change Tag Suggestions for any Facebook User
Change the description of a video without publish_actions permission
Change the profanity filter for any Facebook page
Change Trust Project Credibility Indicators as an Analyst
Conversion Pixels can be modified by any application not enabled for usage in Ads API
Create a Page Watch Party as an Analyst
Create a Product as an Analyst on a Facebook Page Store
Create a video playlist as an Analyst for a page
Create access tokens for any page on Facebook
Create Learning Units for any Group
Create living room polls as a Facebook page analyst
Create mentorship cohorts as a page analyst
Create Oxygen Lab Device Profiles
Creating applications with Facebook trademark names
Creating tags on photos without publish_actions permission
Creation of a scrapbook invalidates the privacy set for a non-user family member
CVE-2018-16794 on fs.thefacebook.com
Deactivate Facebook Page Shop as an Analyst
Delete a Hotel Object from a Facebook Product Catalog using public_profile permission
Delete any Moments app photo or folder not owned by the session user
Deleting a photo not owned by the application by editing a Facebook object
Deleting a Vault image makes data available to third party applications
Determine a user from a private phone number
Detailed information for all Facebook native applications as a non-employee
Determine a Facebook user from an email address
Determine if any two users are friends without user_friends permission
Determine if any two users are friends without user_friends permission (Revisited)
Determine members in a closed Facebook group
Determine the number of friends added for any Facebook user
Determine Page Admins via Event Guest Removals
Disclose Commerce Manager Users
Disclose Facebook Page Admins in 3D
Disclose Facebook recruiting announcements
Disclose Page Admins via Facebook Camera Effects
Disclose Page Admins via Gaming Dashboard Bans
Disclose Page Admins via Job Source Recruiter Requests
Disclose page admins via “Our Story” feature
Disclose the owner of a recruiting manager in Jobs Beta
Disclose page admins via watch parties in a Facebook group
Disclose users with roles on Facebook pages
Download .arexport files for any public AR Studio Effect
Disclosing Merchant Business Email Address
Download Facebook internal mobile builds
Edit Facebook Event Tour details with pages_show_list permission as a third party application
Edit the Facebook album order of any user
Editing a Facebook Status not owned by the calling application
Facebook Ad spend details leaking for Facebook Marketing partners
Facebook Bug Bounty: secondary damage (revisited) why I really like reporting to Facebook too :)
Facebook Contractor Account Credentials leaked from IG video
Facebook employee internal tool and conversations leaked in Facebook video
Facebook employees’ commission splits counts are shown
Facebook employees’ recruiting search counts are shown
Facebook Employees leaked from Disaster Map
Facebook Page profile picture update requires neither publish_pages nor publish_actions
Facebook Marketing Confidential Call Transcript
Facebook stories disclose Facebook friend list
Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun
Facebook v2.0 API bug: inconsistencies with app scoped ids
Facebook’s /intern/testdata tool shown with the default password n0t3st
Find Instagram Contacts for any user on Facebook
Find Mingle Suggestions for any Facebook User (Revisited)
Find Mingle Suggestions for any Facebook User
Friends data leaking from Facebook Year in Review Video
Generate leads on behalf of any Facebook page
Generate valid photos for FBCDN urls via Ads Slideshow
Generate valid signatures for FBCDN urls
Get any non-friend count in a v2.0 Application using FQL
Get live comments without publish_video and manage_pages permissions
Get Page Inbox notifications for any Facebook page
Getting Audience Data from Facebook Ad Audience Partners
Getting Facebook Signal App Access Token
Getting the username in 2.0+ applications using video posts
Getting the username in FQL in 2.0 applications
Icon field in posts gets access_token appended
Instagram GitHub Token with public_scope found In Travis CI Build Logs
Know which Facebook pages a user visited via mobile
Leaked Credentials gives access to internalfb.com
Leaking Facebook Internal Documents for New Hires Revisited
Leaking Facebook Internal Documents for New Hires
Like any Facebook page as a Page Analyst
List internal data via Facebook error messages
List of Internal translation taskIDs disclosed
Listing of all public apps associated with any Wit User
Make recruiting referrals on behalf of Facebook
Modifying an old Facebook post by adding a Photo (Without edit history)
Moments App Images can be published by third party applications
Order Facebook Friends by Facebook Recruiting Technical Coefficient
Outdated Flash component (moxieplayer.swf) in assets.tumblr.com
Page Manager App can read user messages (when API errors say it shouldn’t)
Paging Cursors leaking data in Graph API
Path Disclosure in Facebook Copyright Dashboard
Path Disclosure in Facebook GraphQL API
Path Disclosure in Instagram Ads GraphQL
Political Endorsement is shown to friends while endorsement post set to private
Post a reaction as a page to a Facebook Group story using an analyst role
Post Video Gaming Goals As An Analyst
Post Watch Parties as other Facebook users
Posting GIFs as anyone on Facebook
Private objects in the Messenger Business platform can be accessed by anyone
Re-exploring leaked info in GraphQL
Removing profile pictures for any Facebook user
Rebuilding the full Facebook friend list with FQL
Reorder the photos of a post of any user
Reply to a message without read_page_mailboxes permission
Reply to an Instagram comment as a Facebook page analyst
Report a comment as a page analyst in a Facebook group
Rewriting a photo not owned by the session user in Moments App
Rewriting a photo not owned by the session user in Moments App (Revisited)
Searching internal gatekeeper constants
See if any Facebook user is marked in a crisis
See Production and Development Instant Articles for Any Facebook Page
See whether a Hackercup Facebook participant allows recruitment contact
Send a message as a page analyst of a Facebook page
Send a Location Ping to Facebook Friends using only public_profile as a third party app
Send payment invoices as any Facebook Page
Show friends sharing precise locations as a third party application
Subscribe to Facebook Gaming/Microsoft mixer update for any Facebook user
Subscribe to the list of requesters to join a Facebook live video using MQTT
Swiping Facebook Official Access Tokens
Subscribe to typing notifications for any Instagram user
The Facebook publish_pages permission is missing in /me/links
Tagged Places shouldn’t show paging params if no user_tagged_places granted
The /page-id/photos endpoint isn’t obeying the publish_actions permission requirement
The /user-id/links endpoint is bypassing v2.0 application privacy and permission scope
Third Party Applications have access to Airline, Uber and Payments Data From Bots
Third party Developer access to Facebook captcha challenges
Third Party Applications have access to private email address and phone number with public_profile
Toggle Any Facebook Page Messaging Feature
Toggle Group Rules Agreement as a non-member
Unintended control over the email body in Customer Chat Plugin Code Instructions
Unintended control over the email body in Partner Integration Email Instructions
Upload videos thumbnails with just public_profile permission
Using an Analyst account to post to Facebook Open Graph Objects
Using Onboarding Links to disclose Facebook Internal Content for New Employees
Using Tumblr pagination to redirect from Instagram
Vault Images can be published by third party applications
View Approval Requests for Messenger Room
View Commerce Insights for Any Page Shop Product
View businesses of a Facebook user with public_profile permission
View Commerce Settings and Email for Any Page Shop
View details as a current candidate in the Facebook job recruiting process
View Created Sync Queues for Any Facebook User using Moments
View Facebook friends for any user
View Facebook payouts for any Facebook Trivia Game
View former members of a Facebook group
View Instant Articles Traffic Lift for any page
View Instant Game High Scores for any User
View Items Bought via Messenger Commerce for Any Facebook User
View mentorship applications and identify users in a Facebook group
View Messenger Game Score Sheets for Any Facebook User
View news subscriptions for any Facebook page
View Recent Messenger Searches for any Facebook User
View subscribed leadgen apps associated with any page
View saved offers of another user
View the Ads Retention Curve Completion Rate for any Ad Account
View the Assigned Roles and Emails of an Instagram Account
View the Bonfire friends for any Party User
View the bug subscriptions for any Oculus User
View the contact list for a Messenger Kid as a parent-approved contact
View the email subscriptions for any Oculus User
View the Facebook stories for any media effect
View the GraphQL stored queries for any application
View the Job Applications of a Page as an analyst
View the ranked messenger users for any page
View the owned test users for Facebook employees
View the VR experiences for any Oculus user
View Unique User Count for any Facebook Pixel
Viewing Payment Information as an Ad Analyst
Vote on comments as a Facebook page analyst
Uploading files to api.techprep.fb.com – Youssef Sammouda
Internal paths disclosure due to improper exception handling – Youssef Sammouda
Leak of private/in-development app ids, names and translation requests – Youssef Sammouda
Facebook CSRF protection bypass which leads to Account Takeover. – Youssef Sammouda
Export Facebook audience network reports of any business – Youssef Sammouda
Bypass password confirmation in Facebook “DYI” feature – Youssef Sammouda
Disclose the content of internal Facebook Javascript modules. – Youssef Sammouda
Disclose files content from Facebook internal CDNs – Youssef Sammouda
HTML to PDF converter bug leads to RCE in Facebook server. – Youssef Sammouda
View orders and financial reports lists for any page shop. – Youssef Sammouda
Download predictions details of ads plans of any business. – Youssef Sammouda
Modify users profiles of techprep.fb.com – Youssef Sammouda
Send emails on behalf of legal_noreply@fb.com – Youssef Sammouda
Internal path disclosure in Instagram server – Youssef Sammouda
Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge – Youssef Sammouda
Generate Access Tokens for any Facebook user – Youssef Sammouda
Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover – Youssef Sammouda
Facebook CSRF bug which lead to Instagram Partial account takeover. – Youssef Sammouda
Bruteforce Instagram account’s passwords (lack of rate limiting protection) . – Youssef Sammouda
Generate valid signatures for files hosted in Facebook CDNs. – Youssef Sammouda
Reveal if a Facebook merchant page has pending or completed orders. – Youssef Sammouda
Add draft subtitles to any Facebook video and Full Path Disclosure – Youssef Sammouda
Exposure of Facebook object type by knowing the object ID – Youssef Sammouda
Expose business email and payment account balance of any Facebook commerce page. – Youssef Sammouda
Disclose internal files related to testing of some Facebook tools – Youssef Sammouda
Disclose the Instagram account linked to a Facebook user account or page – Youssef Sammouda
Internal directories enumeration in www – Youssef Sammouda
Privilege escalation in Partners Portal to Admin access – Youssef Sammouda
Disclose content of internal Facebook javascript modules ( Revisited ) – Youssef Sammouda
Facebook DOM Based XSS using postMessage – Youssef Sammouda
Change payment account of any Facebook commerce page – Youssef Sammouda
XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers – Youssef Sammouda
Disclose Instagram business account linked to a Facebook page – Youssef Sammouda
Expose the email address of Workplace users – Youssef Sammouda
View orders and financial reports lists for any page shop – Youssef Sammouda
Disclose page’s admins and its Monetization payout details – Youssef Sammouda
Delete linked payments accounts of a Facebook page (or user) – Youssef Sammouda
Leak of internal categorySets names and employees test accounts. – Youssef Sammouda
Make recruiting referrals on behalf of employees – Youssef Sammouda
Open redirect in Instagram.com – Youssef Sammouda
Enumerate internal cached URLs which lead to data exposure – Youssef Sammouda
XSS in Facebook CDN due to improper filtering of uploaded files extensions – Youssef Sammouda
Disclose internal CMS objects content – Youssef Sammouda
Disclose page violations and its eligibility to use Ad-breaks – Youssef Sammouda
Expose information about Partner accounts in Partner portal – Youssef Sammouda
Expose Facebook object type (including private objects) – Youssef Sammouda
Facebook account takeover due to a wide platform bug in ajaxpipe responses – Youssef Sammouda
Facebook account takeover due to unsafe redirects after the OAuth flow – Youssef Sammouda
Enroll in Facebook Ad-break program without Facebook approval – Youssef Sammouda
Identify a Facebook user by his phone number despite privacy settings set – Youssef Sammouda
Disclose unconfirmed email/phone of a Facebook user – Youssef Sammouda
Oversightboard.com site-wide CSRF due to missing checking – Youssef Sammouda