Meta(Facebook) BugBounty-Writeups

Inspired from xdavidhu & 1hack0 this is a repo which contains Facebooks Updated BugBounty Writeups.

Contributing:

If you have/know of any Facebook writeups not listed in this repository, feel free to open a Pull Request. Please try to sort the writeups by publication date.

The template to follow when adding new writeups:

- **[MONTH DAY - $BOUNTY]** [TITLE](URL) by [NAME](TWITTER_URL)

If the bounty amount is not available, write $???.
If no Twitter account is available, try finding something similar, like other social media page or website.

Writeups

2023:-

• [May 4 - $12,500] CVE-2019-18426 - WhatsApp potential for RCE by Gal Weizman
• [Apr 27 - $500] Bypassing Link Sharing Protection by Syd Ricafort
• [Mar 18 - ???] Facebook Creator Studio Misconfiguration by Abdul Rehman Parkar
• [Mar 8 - 2023] Accessing to Data Sources of any Facebook Business account via IDOR in GraphQL by Mukund Bhuva
• [Feb 26 - ???] Facebook bug: A Journey from Code Execution to S3 Data Leak by Bipin Jitiya
• [Jan 31 - $62,500] DOM-XSS in Instant Games due to improper verification of supplied URLs by Youssef Sammouda
• [Jan 31 - $62,500] Account Takeover in Canvas Apps served in Comet due to failure in Cross-Window-Message Origin validation by Youssef Sammouda
• [Jan 31 - $44,250] Account takeover of Facebook/Oculus accounts due to First-Party access_token stealing by Youssef Sammouda
• [Jan 31 - $2,075] Disclosing Facebook page admins by playing a game by Sudip Shah
• [Jan 23 - ???] Two Factor Authentication Bypass On Facebook by Gtm Mänôz
• [Jan 11 - $1,726] Meta Quest: Attacker could make any Oculus user to follow (subscribe) him without any approval by Dzmitry Lukyanenka
• [Jan 6 - ???] Instagram vulnerability : Turn off all type of message requests using deeplink (Android) by Rahul Kankrale

2022:

• [Dec 23 - $3,000] 0 click Facebook Account Takeover and Two-Factor Authentication Bypass by abdellah yaala
• [Dec 23 - $11,250] Delete any Video or Reel on Facebook (11,250$) by Bassem Bazzoun
• [Dec 5 - $500] Irremovable comments on the FB Lite app by Shubham Bhamare
• [Nov 22 - $3,000] Header spoofing via a hidden parameter in Facebook Batch GraphQL APIs by David Schütz
• [Oct 17 - $18,750] Facebook SMS Captcha Was Vulnerable to CSRF Attack by Lokesh kumar
• [Sep 06 - $???] Group expert's pending expertise request leaking by DF
• [Sep 06 - $10,000] Abusing Self Hosted Github Runners at Facebook by Marcus Young
• [Sep 06 - $???] Details about future collaboration profiles and pages have been revealed by DF
• [Sep 06 - $???] Group expert's pending expertise request leaking on Facebook by DF
• [Aug 11 - $3000] Email Confirmation bypass at Instagram by Avinash Kumar
• [Aug 05 - $???] Irremovable guest in facebook event by Rajiv Gyawali
• [Aug 02 - $550] Instagram photo was present in data backup by Jeewan Bhatta
• [July 24 - $???] Contactpoint Inference through rate-limiting errors by Hacking Monks
• [July 19 - $250] How I could’ve bought anything for Free from Facebook Business Pages by Samip Aryal
• [July 19 - $12,000] Instagram account takeover by malicious apps by Dzmitry
• [Jun 30 - $500] Facebook Portal’s business logic error by Unurbayar
• [Jun 12 - $49,500] How I found a Critical Bug in Instagram by Neeraj Sharma
• [May 31 - $???] Abusing Facebook’s feature for a permanent account confusion by terminator
• [May 14 - $44,625] Multiple bugs chained to takeover Facebook Accounts by Sammouda
• [May 04 - $1,575] Remotely permanent crash any Instagram user via permanent DoS in user DM’s by Naveen
• [Apr 30 - $1,000] Page Admin Disclosure when Posting a Reel by Syd Ricafort
• [Apr 28 - $12,000] Contact Point Deanonymization Vulnerability by Lokesh Kumar
• [Apr 10 - $4400] Privacy Disclosure on Facebook Lite by Rhey
• [Apr 07 - $2,500] Meta's SparkAR RCE Via ZIP Path Traversal by Fady Othman
• [Apr 04 - $???] View Friends List of any users using by Ph.Hitachi
• [March 06 - $???] Bypassing biometric authentication using voip in Whatsapp by Arvind
• [March 04 - $98,250] More secure Facebook Canvas Part 2 by Samm0uda
• [March 03- $4500] Instagram IDOR Bug by Nawaf Alkhaldi
• [Feb 25 - $1500] Bypassing default visibility for newly-added email & Part 2 by Kent Jarold Abulag
• [Feb 21 - $3150] How I could’ve bypassed the 2FA security of Instagram once again by Samip Aryal
• [Feb 16 - $7500] Trim private live videos and access them by Abdellah Yaala
• [Feb 06 - $7500] Facebook Oauth token leakage by Abdellah Yaala
• [Feb 05 - $7500] Attacker could attach their own tournamnet to any live video. by Rony K Roy
• [Feb 02- $4000] Abusing Facebooks Call To Action To Launch Internal Deeplinks by Ash-King
• [Jan 05 - $1050] How I was able to spoof any Instagram username on Instagram shop by Nawaf Alkhaldi
• [Jan 04 - $1075] Execute arbitrary javascript (xss) and load arbitrary website by Rahul Kankrale

2021:-

• [Dec 29 - $863] Add or remove the linked publications from Author Publisher settings by Rahul Kankrale
• [Dec 20 - $4,500] How I was able to reveal page admin of almost any page on Facebook by Sudip Shah
• [Dec 16 - $???] CSRF renew access to Apps by Hacking Monks
• [Dec 04 - $???] Able to See and Delete Private Facebook Portal photos by Abhishek Pathak
• [Dec 02 - $1,500] Disclose Ad Accounts linked with Instagram Accounts by Naveen
• [Nov 23 - $25,000] CSRF in Instagram by Mohamed Laajimi
• [Oct 24 - $???] Tagged User Could Delete Facebook Story by Mark Rhoy
• [Oct 22 - $???] Unauthorized access to any Facebook user’s draft profile picture frames by Sandeep Hodkasia
• [Sep 29 - $10,000] Malicious Android Applications can takeover Facebook/Workplace accounts by Samm0uda
• [Sep 29 - $500] Force Browsing bug at Facebook business plan by Dewanand Vishal
• [Sep 23 - $725] Messenger for MacOS contained hardcoded FB token by Dzmitry
• [Sep 15 - $18,250] A Facebook bug that exposes email/phone number to your friends by Saugat Pokharel
• [Sep 08 - $???] Facebook email disclosure and account takeover by Rikesh Baniya
• [Sep 03 - $126,000] Tale of Account Takeovers by Samm0uda
• [Sep 01 - $1,000] Bypassing 2-Factor Authentication for Facebook Business Manager by Shubham Bhamare
• [Aug 22 - $???] IDOR enables Allow Facebook stories shared from Instagram by Mohamed Laajimi
• [Aug 19 - $1000] Disclose WhatsApp Number of Instagram Accounts Despite Setting Set to be Hidden by Naveen
• [Aug 18 - $3,449] Confirming any new Email Address by Lokesh Kumar
• [Aug 02- $???] Facebook Messenger indirect thread deletion by Rahul Kankrale
• [July 30 - $???] Request Review on behalf of other pages (no role in the page) in Account Quality by Sarmad Hassan
• [July 29 - $3,000] Expose Group Member by Muhammad S
• [July 24 - $1,000] Not valid bug that leads to us a multiple Valid Report by Kntjrld
• [July 23 - $500] Admin of group chat cannot remove deactivate user by Aashish Jung Kunwar
• [July 17 - $1,500] Removing Document Cover by Muhammad S
• [July 12 - $500] Linkshim Bypass by Anthony Richa
• [July 10 - $???] Facebook Email/phone disclosure using Binary search by Rikesh Baniya
• [June 27 - $500] Oversightboard.com site-wide CSRF by Samm0uda
• [June 27 - $500] Disclose unconfirmed email/phone of a Facebook user by Samm0uda
• [June 15 - $30,000] I was able to see Private, Archived Posts/Stories of users on Instagram by Mayur Fartade
• [June 13 - $15,500] User’s location diclosure in the Nearby Friends by Yavor Rusev
• [June 06 - $3000] How I could have accessed all your private videos/photos saved inside your device by Samip Aryal
• [May 31 - $???] Facebook Page Admin Disclosure by Kunjan Nayak
• [May 23 - $???] Disclose leads form details of any Facebook Business Account by Amine Aboud
• [May 22 - $500] Crossposting Live Videos by Yaswanth Mangalagiri
• [May 21 - $500] CSRF from which we can create a support ticket in Victim’s Account by Rohit kumar
• [May 21 - $500] Victim’s Anti CSRF Token could be exposed to Third-party Applications by Rohit kumar
• [May 20 - $ 1000] Third-Party Apps were still getting your private Facebook data by Samip Aryal
• [May 20 - $ 537] Instagram Live setting bug by Takashi Suzuki
• [May 20 - $12,000] Oculus SSO bug leads to account takeover on third party websites by Samm0uda
• [May 11 - $9,600] Instagram Reflected XSS by Samm0uda
• [May 10 - $500] Undeletable Messenger Room by SndpGiri
• [May 06 - $9,000] Identify a Facebook user by his phone number by Samm0uda
• [May 06 - $27,000] Unauthorized access to companies environment by Marcos Ferreira
• [May 04 - $18,000] Account takeover of accounts due to unrestricted permissions by Samm0uda
• [May 04 - $3,000] Disclose other user followers by Pratik Timilsina
• [May 01 - $500] Hijack Facebook user due to broken link on Facebook shop feature on IOS Facebook APP by SndpGiri
• [Apr 30 - $ 30,000] Facebook account takeover due to unsafe redirects by Samm0uda
• [Apr 26 - $ 6,000] Download Facebook internal mobile builds by Philippe Harewood
• [Apr 18 - $ 14,000] Remove any Facebook’s live video by Ahmad Talahmeh
• [Apr 17 - $ 1,000] Comment Goes From Page Profile Instead of Personal Profile by Aashish Kunwar
• [Apr 01 - $ 30,000] Facebook account takeover due to a wide platform bug in ajaxpipe responses by Samm0uda
• [Apr 01 - $ 12,000] Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow by Samm0uda
• [Mar 19 - $ 54,800] How I hacked Facebook: Part Two by Alaa Abdulridha
• [Mar 16 - $ 1,000] VOICE CONFUSION WHEN COMMENTING ON WATCH PARTY by Prakash Panta
• [Mar 16 - $ 9,000] Facebook Group Members Disclosure by Baibhav Anand Jha
• [Mar 04 - $ 500] Low hanging fruits on Facebook Group Room by Randy Arios
• [Mar 03 - $ 500] THE INVINCIBLE KID by Samip Aryal
• [Feb 28 - $ ???] Join Facebook Group With Unpublish Page by Gevakun
• [Feb 27 - $ ???] Disclose hidden Product Images by featuring a non-owned collection by Bassem Bazzoun
• [Feb 18 - $ ???] Open redirect in www.oversightboard.com by Sarmad Hassan
• [Feb 18 - $ 500] Expose Facebook object type by Samm0uda
• [Feb 18 - $ 3,600] Expose information about Partner accounts by Samm0uda
• [Feb 18 - $ 500] Ability to find Facebook employee’s test accounts by Samm0uda
• [Feb 18 - $ 500] Disclose internal CMS objects content by Samm0uda
• [Feb 18 - $ 500] Determine admin email addresses of Partners portal account by Samm0uda
• [Feb 18 - $ 500] XSS in Facebook CDN by Samm0uda
• [Feb 17 - $ 500] Dangling DNS Records on api.techprep.fb.com by Binit Ghimire
• [Feb 17 - $ 4,800] Enumerate internal cached URLs which lead to data exposure by Samm0uda
• [Feb 17 - $ 2,000] Leaking Facebook user information to external websites by Samm0uda
• [Feb 17 - $ 500] Open redirect in Instagram.com by Samm0uda
• [Feb 17 - $ 1,500] Access private information about SparkAR effect owners who has a publicly viewable portfolio by Samm0uda
• [Feb 17 - $ 3,000] Make recruiting referrals on behalf of employees by Samm0uda
• [Feb 15 - $ 500] Leak of internal categorySets names and employees test accounts. by Samm0uda
• [Feb 15 - $ 1,000] Delete linked payments accounts of a Facebook page (or user) by Samm0uda
• [Feb 15 - $ 12,500] Access files uploaded by employees to internal CDNs / Regenerate URL signature of user uploaded content. by Samm0uda
• [Feb 15 - $ 500] URLs in img tag aren’t passed through safe_image.php which lead to exposure of Facebook users IPs. by Samm0uda
• [Feb 15 - $ 500] View orders and financial reports lists for any page shop by Samm0uda
• [Feb 10 - $ ???] Sending ephemeral message to any Facebook user by Rahul Kankrale
• [Feb 03 - $ 2,000] Facebook Messenger Desktop App Arbitrary File Read by Renwa
• [Feb 02 - $ ???] Access developer tasks list of any Facebook Application by Amine Aboud
• [Feb 02 - $ ???] Create a block list in brand safety on behalf of any other user by Sarmad Hassan
• [Jan 28 - $ 4,000] Launching Internal & Non-Exported Deeplinks by Ashley King
• [Jan 14 - $ 1,000] Irremovable Facebook group album photos by Shubham Bhamare
• [Jan 08 - $ 30,000] Create post on any Facebook page by Pouya Darabi
• [Jan 08 - $ ???] Facebook: Linkshim protection bypass using fb://webview by Rahul Kankrale
• [Jan 04 - $ 5,000] Bypass of a FaceBook Page Admin Disclosure by Shubham Bhamare
• [Jan 03 - $ 5,000] Expose the email address of Workplace users by Samm0uda
• [Jan 01 - $ 30,000] XSS on forums.oculusvr.com by Samm0uda
• [Jan 01 - $ 500] Clearing tournament match score as participant by Rony K Roy

2020:-

• [Dec 31 - $ 10,000] Account takeovers in third party websites by Samm0uda
• [Dec 31 - $ 500] Blocked fundraiser organizer unable to remove themseleves by Vivek PS
• [Dec 26 - $ 1,500] Facebook page admin disclosure by "Message Seller" by Shubham Bhamare
• [Dec 20 - $ 13,125] How I was able to view anyone’s private email and birthday by Saugat Pokharel
• [Dec 19 - $ 1,000] Finding the hidden members of the private events by Vivek PS
• [Dec 12 - $ 5,000] Confirm an email address belonging to a specific user by Abdellah Yaala
• [Dec 11 - $ 7,500] How I hacked Facebook: Part One by Alaa Abdulridha
• [Nov 13 - $ 10,000] Facebook SSRF by Amine Aboud
• [Nov 13 - $ 500] Replying Comments On Someone’s LiveStream From Page is Posted as Personal Identity by Prakash Panta
• [Nov 13 - $ 16,125] How I Found The Facebook Messenger Leaking Access Token Of Million Users by Guhan Raja
• [Nov 13 - $ 500 ] Commenting on a post by opening it via page’s news-feed goes from a wrong actor by Samip Aryal
• [Nov 13 - $ 500] User’s private videos/saved videos exposed through a messenger call from a locked smartphone. by Samip Aryal
• [Nov 10 - $ 1500] Facebook iOS address bar spoofing by Rahul Kankrale
• [Nov 07 - $ 25,000] Facebook DOM Based XSS using postMessage by Samm0uda
• [Nov 04 - $ 10,750] Delete Any Photos In Facebook by Lokesh Kumar
• [Nov 02 - $ 4838] Reveal the page admin that uploaded a video on the page in comment section by Lokesh Kumar
• [Oct 30 - $ ???] Ability To Backdoor Facebook For Android by Ash King
• [Oct 21 - $ 2000] Perform substring search for emails even if Workplace admin hides email profile field. by Rahul Kankrale
• [Oct 21 - $ 3000] Facebook Page Admin Disclosure by Rahul Kankrale
• [Oct 12 - $ 500] Disclose Emails, phone numbers, more For Facebook users who tried to add funds to their account by Mustafa Ahmed
• [Oct 05 - $ 500] Easy wins : verbose error worth Facebook HOF by Mukul Lohar
• [Oct 02 - $ 10,000] Arbitrary code execution on Facebook for Android through download feature by Mukul Lohar
• [Sep 30 - $ ???] Story of a weird vulnerability I found on Facebook by Amine Aboud
• [Sep 15 - $ ???] How I Accidentally Got My First Bounty From Facebook by Bishal Shrestha
• [Sep 12 - $ ???] How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM by Orange Tsai
• [Aug 18 - $ 500] How could I Tag Photo to any user’s Scrapbook on Facebook by Raja Sudhakar
• [Aug 14 - $ 6,000] Deleted data stored permanently on Instagram? Facebook Bug Bounty 2020 by Saugat Pokharel
• [Aug 11 - $ ???] Group Admin Can’t Able to Moderate Comments by Prakash Panta
• [Aug 10 - $ ???] My 2nd 4digit Bug Bounty From Facebook by Sudip Shah
• [Aug 08 - $ 500] Reflected XSS in Facebook’s mirror websites by Sudhanshu Rajbhar
• [July 30 - $ ???] Weird Behavior of Facebook Page FAQ Leading to Bounty from Facebook by Ashok Chapagai
• [July 27 - $ ???] Disclose content of internal Facebook javascript modules by Samm0uda
• [July 17 - $ ???] Story Of 4 digit bounty by Sudip Shah
• [July 02 - $ 1500] Browser Anamoly by easySIEM
• [July 02 - $ 5500] Admin disclosure of Facebook verified pages by Samm0uda
• [June 25 - $ ???] Hidden Comments by Saugat Pokharel
• [June 21 - $ ???] XSS-On-Facebook by Bipin Jitiya
• [June 20 - $ 1500] Information Disclosure On Facebook by Alaa Abdulridha
• [June 18 - $ ???] Page-Admin-Disclosure by Saugat Pokharel
• [June 14 - $ ???] Privilege escalation in Partners Portal to Admin access by Samm0uda
• [June 14 - $ ???] Disclose the Instagram account linked to a Facebook user account or page by Samm0uda
• [June 14 - $ ???] Internal directories enumeration in www by Samm0uda
• [June 05 - $ ???] Delete saved credit cards from any Business Manager Account by Rohit kumar
• [June 02 - $ 10000] Another image removal vulnerability on Facebook by Pouya Darabi
• [May 28 - $ ???] How I made $31500 by submitting a bug to Facebook by Bipin Jitiya
• [May 28 - $ ???] How I was able to see Private Video Uploader Via Facebook Rights Manager by Kishore TK
• [May 21- $ ???] Cannot Revoke Session on Messenger for Kids by Saugat Pokharel
• [May 21 - $ ???] Bypassing Message Request inbox by Abdellah Yaala
• [May 20 - $ ???] Change any link at https://fbwat.ch/ by Philippe Harewood
• [May 20 - $ 7500] Become member of close & public group by abdellah yaala
• [May 18 - $ 1500] FB & Messenger for iOS : Address Bar spoofing using data uri by Rahul Kankrale
• [May 12 - $ 750] Change the profanity filter for any Facebook page by Philippe Harewood
• [May 07 - $ 20000] $20000 Facebook DOM XSS by Vinoth Kumar
• [May 02 - $ ???] Private Dashboards were accessible by Rohit kumar
• [May 02 - $ ???] Exposure of Facebook object type by knowing the object ID by Samm0uda
• [May 02 - $ ???] Add draft subtitles to any Facebook video and Full Path Disclosure by Samm0uda
• [Apr 16 - $ 750] Recieving instagram notifications after Logout by Jane Manchun Wong
• [Apr 04 - $ ???] Cannot Delete Post on Facebook Group: Facebook Bug Bounty by Saugat Pokharel
• [Apr 01 - $ ???] The story of my first ever, $xxxx by Ashok Chapagai
• [Mar 14 - $ ???] Blocked User Can Send Notification Due to Logical Bug by Divyanshu Shukla
• [Mar 13 - $ ???] Generate valid signatures for FBCDN urls by Philippe Harewood
• [Mar 11 - $ ???] Generate valid signatures for files hosted in Facebook CDNs by Samm0uda
• [Mar 11 - $ ???] Ability to bruteforce Instagram account’s password due to lack of rate limitation protection by Samm0uda
• [Mar 01- $ 55,000] Facebook OAuth Framework Vulnerability by Amol Baikar
• [Feb 29 - $ 3000] Page Admin Disclosure via an Upgraded Page Post by dw1
• [Feb 28 - $ 12,500] Facebook CSRF bug which lead to Instagram Partial account takeover. by Samm0uda
• [Feb 17 - $ 500] Open-redirect Vulnerability on Facebook by Ashok Chapagai
• [Feb 08 - $ ???] Determine users with detailed role model on behalf of any Facebook Application by Amol Baikar
• [Feb 04 - $ ???] Allowing Read From The File System Access by Ashok Chapagai
• [Feb 02 - $ ???] Disclose Full Admin List of any Facebook Applications by Amol Baikar
• [Jan 26 - $ ???] XSS on Facebook-Instagram CDN Server bypassing signature protection by Amol Baikar
• [Jan 26 - $ ???] Disclose Facebook Business Account ID by Amol Baikar
• [Jan 26 - $ ???] XSS on Facebook’s acquisition Oculus CDN Server by Amol Baikar
• [Jan 23 - $ 12,500] Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover by Samm0uda
• [Jan 22 - $ 500] Facebook Vulnerability: Hidden “Community Manager” in Pages due to “Invitation Accept” logic by Ritish Kumar Singh

2019:

• [Dec 29 - $ ???] Information Disclosure Bug by Circle Ninja
• [Dec 26 - $ ???] Bypassing Brand Collabs Manager Eligibility on Facebook by Ajay Gautam
• [Dec 13 - $ ???] Facebook New Account Verification Bypass by Santosh Baral
• [Dec 09 - $ 3,000] Media deletion CSRF vulnerability on Instagram by Pouya Darabi
• [Nov 27 - $ 5,000] Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge by Samm0uda
• [Nov 21 - $ 1,000] Disable Any Unconfirmed Account in Facebook by Lokesh Kumar
• [Nov 20 - $ ???] Delete Facebook Ask for Recommendations post’s place objects in comments by Raja Sudhakar
• [Nov 19 - $ ???] Disclose the owner of a recruiting manager in Jobs Beta by Philippe Harewood
• [Nov 16 - $ ???] View the ranked messenger users for any page by Philippe Harewood
• [Oct 30 - $ 500] Live Video facebook application (Android) its not expired when log out by Naufal Septiadi
• [Oct 28 - $ ???] Crash web — app through application form of job application pages by TienDat
• [Oct 24 - $ 1,500] Session Expiration Bypass in Facebook Creator App by Philippe Harewood
• [Oct 22 - $ 3,000] Disclose members in any closed Facebook group by Ahmad Talahmeh
• [Oct 17 - $ ???] 1-800-Flowers Credentials and message log leak via facebook.com/facebook by Philippe Harewood
• [Oct 15 - $ 500] Disclosure the verified phone number in Checkpoint. by TienDat
• [Oct 12 - $ ???] Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts. by Rohit kumar
• [Sep 21 - $ 500] Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public by Guhan Raja
• [Sep 20 - $ ???] Business ID leak via Creative Hub redirect by Philippe Harewood
• [Sep 13 - $ ???] How two dead accounts allowed remote crash of any instagram android user by Valbrux
• [Sep 12 - $ ???] Facebook employee internal tool and conversations leaked in Facebook video by Philippe Harewood
• [Sep 12 - $ ???] Add users to roles on Facebook pages without an invitation consent by Philippe Harewood
• [Sep 10 - $ ???] Subscribe to the list of requesters to join a Facebook live video using MQTT by Philippe Harewood
• [Sep 09 - $ 750] Oculus identity verification bypass through brute-force by karthik kumar reddy
• [Sep 02 - $ 1,000] HTML to PDF converter bug leads to RCE in Facebook server by Samm0uda
• [Aug 26 - $ 10,000] How I Hacked Instagram Again by Laxman Muthiyah
• [Aug 24- $ ???] Create living room polls as a Facebook page analyst by Philippe Harewood
• [Aug 22 - $ ???] Rights Manager Graph API Disclosure of business employee to non business employee by Jafar_Abo_Nada
• [Aug 21 - $ 500] Instagram account is reactivated without entering 2FA ($500) by Philippe Harewood
• [Aug 21 - $ ???] Sending Message as page being an analyst/ advertiser by Baibhav Anand
• [Aug 19 - $ ???] Facebook Bug Bounty: Reading WhatsApp contacts list without unlocking the device by Arvind
• [Aug 19 - $ 2,500] Removing profile pictures for any Facebook user by Philippe Harewood
• [Aug 18 - $ ???] Add users to roles on Facebook pages without an invitation consent (revisited) by Philippe Harewood
• [Aug 15- $ ???] ByPassing fix of Domain Blocking feature in Business Manager by Rohit kumar
• [Aug 15 - $ ???] Facebook Messenger exposing deleted messages using by Renwa
• [Aug 01 - $ ???] Download predictions details of ads plans of any business. by Samm0uda
• [Aug 01 - $ ???] Internal path disclosure in Instagram server by Samm0uda
• [Aug 01 - $ ???] Access portal of Facebook mobile retailers and see earnings and referrals reports. by Samm0uda
• [Aug 01 - $ ???] View orders and financial reports lists for any page shop by Samm0uda
• [July 26- $ ???] Instagram bug disclosing user’s phone number via checkpoint by Bijan Murmu
• [July 21 - $ ???] Subscribe to typing notifications for any Instagram user by Philippe Harewood
• [July 20 - $ ???] Get Page Inbox notifications for any Facebook page by Philippe Harewood
• [July 17 - $ 500] How Recon helped me to to find a Facebook domain takeover by Sudhanshu Rajbhar
• [July 16 - $ 3,000] CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook by Lokesh Kumar
• [July 15 - $ ???] Sending messages as a page with jobmanager permission by Devansh batham
• [July 14 - $ 30,000] How I Could Have Hacked Any Instagram Account by Laxman Muthiyah
• [July 12 - $ 500] Facebook Bug bounty page admin disclose bug by Yusuf Furkan
• [July 04 - $ 2000] This is how I managed to win $2000 through Facebook Bug Bounty by Saugat Pokharel
• [July 04 - $ 500] Unremovable Co-Host in facebook page events by Ritish Kumar Singh
• [June 28 - $ ???] Page admin disclosure by Bijan Murmu
• [June 26 - $ ???] Toggle Group Rules Agreement as a non-member by Philippe Harewood
• [June 24 - $ ???] Download .arexport files for any public AR Studio Effect by Philippe Harewood
• [June 22 - $ ???] Page Admin Disclosure by Ajay Gautam
• [June 17 - $ 500] Business user Employees could have applied block list to all ad accounts listed in the business manager. by Rohit kumar
• [June 11 - $ 1,500] Facebook Vulnerability: Non-unfriendable user in /hacked workflow by Ritish Kumar Singh
• [May 27- $ ???] View Facebook payouts for any Facebook Trivia Game by Philippe Harewood
• [May 25 - $ ???] Disclose files content from Facebook internal CDNs by Samm0uda
• [May 22 - $ 1,000] Determine a Facebook user from an email address by Philippe Harewood
• [May 17 - $ 500] Bypassing Instagram’s stories restriction by Baibhav Anand
• [Apr 30 - $ 3,000] Facebook’s URL spoofing vulnerability by Rahul Kankrale
• [Apr 23 - $ 5,000] Facebook’s Burglary Shopping List by Philippe Harewood
• [Apr 22 - $ ???] Disclose the content of internal Facebook Javascript modules. by John Moss
• [Apr 02 - $ 1,000] Hiding from Facebook Page Admin(s) in /hacked workflow by Ritish Kumar Singh
• [Apr 01 - $ ???] How I was able to get your facebook private friend list by Raja Sekar Durairaj
• [Mar 24 - $ 500] Facebook Marketing Confidential Call Transcript by Philippe Harewood
• [Mar 19 - $ 10,000] Denial of service in Facebook Fizz due to integer overflow by kevin_backhouse
• [Mar 19 - $ 750] DoS Across Facebook Endpoints by Max Pasqua
• [Mar 16 - $ 4,000] Disclosure of Pending Roles for any Facebook Page by Avinash Kumar
• [Mar 11 - $ 1,000] CVE-2018-16794 on fs.thefacebook.com by Philippe Harewood
• [Mar 07 - $ ???] Mapping Communication Between Facebook Accounts Using a Browser-Based Side Channel Attack by Ron Masas
• [Mar 06 - $ ???] Facebook Messenger server random memory exposure through corrupted GIF image by Dzmitry Lukyanenka
• [Mar 05 - $ 1,000] Facebook exploit – Confirm website visitor identities by Tom Anthony
• [Feb 16 - $ ???] Bypass password confirmation in Facebook “DYI” feature by Samm0uda
• [Feb 16 - $ 1,000] Bug Exposed Offsite Employee Events, Sensitive emails Putting Employees at Risk by Rohit kumar
• [Feb 14 - $ ???] Third Party Android App Storing Facebook Data Insecurely by Nightwatch Cybersecurity
• [Feb 13- $ 15,000] Disclose private attachments in Facebook Messenger Infrastructure by Sarmad Hassan
• [Feb 12 - $ 25,000] Facebook CSRF protection bypass which leads to Account Takeover by Samm0uda
• [Feb 12 - $ ???] Export Facebook audience network reports of any business by Samm0uda
• [Feb 07 - $ ???] Internal paths disclosure due to improper exception handling by Samm0uda
• [Feb 07 - $ ???] Leak of private/in-development app ids, names and translation requests by Samm0uda
• [Jan 25 - $ ???] Facebook Change Product Availability as a PageAnalyst by onehackzero
• [Jan 22 - $ ???] Enroll in Facebook Ad-break program without Facebook approval by Samm0uda
• [Jan 22 - $ ???] Disclose page’s admins and its Monetization payout details by Samm0uda
• [Jan 22 - $ ???] Disclose page violations and its eligibility to use Ad-breaks by Samm0uda
• [Jan 22 - $ ???] Disclose Instagram business account linked to a Facebook page by Samm0uda
• [Jan 22 - $ ???] Change payment account of any Facebook commerce page by Samm0uda
• [Jan 22 - $ ???] Expose business email and payment account balance of any Facebook commerce page. by Samm0uda
• [Jan 22 - $ ???] Reveal if a Facebook merchant page has pending or completed orders by Samm0uda
• [Jan 22 - $ ???] Lack of rate limiting protection by Samm0uda
• [Jan 22 - $ ???] Generate Access Tokens for any Facebook user by Samm0uda
• [Jan 22 - $ ???] Modify users profiles of techprep.fb.com by Samm0uda
• [Jan 22 - $ ???] Uploading files to api.techprep.fb.com by Samm0uda
• [Jan 15 - $ 500] Unremovable facebook group admin by Ritish Kumar Singh
• [Jan 13 - $ ???] Hack Your Form – New vector for Blind XSS by Youssef A. Mohamed
• [Jan 11 - $ ???] Workplace Logo ID to workplace owner name Disclosure Facebook Bug Bounty by Ajay Gautam
• [Jan 11 - $ ???] Facebook PageAnalyst Could Add oneself as Moderator on Group by onehackzero
• [Jan 08 - $ ???] View the contact list for a Messenger Kid as a parent-approved contact by Ash King
• [Jan 05 - $ 750] Facebook Android Application by Ash King
• [Jan 04 - $ 1,000] Stealing Side-Channel Attack Tokens in Facebook Account Switcher by Max Pasqua

2018:

• [Oct 09 - $ ???] Facebook-Business-Takeover by Philippe Harewood
• [Aug 22 - $ ???] Send-Payment-Invoices-As-Any-Facebook-Page by Philippe Harewood
• [Aug 09 - $ 5,000] Remote Code Execution on a Facebook server by Sec team
• [Jul 24 - $ ???] Disclose-Page-Admins-Via-Gaming-Dashboard-Bans by Philippe Harewood
• [Jul 18 - $ ???] Determine-Members-In-A-Closed-Facebook-Group by Philippe Harewood
• [Jul 12 - $ ???] Application-Secret-Embedded-In-Login-Flow-For-Facebook-Swag-Store by Philippe Harewood
• [Jun 13 - $ ???] Disclose-Page-Admins-Via-Job-Source-Recruiter-Requests by Philippe Harewood
• [May 23 - $ 500] Toggling comment option of a post in a linked group as an analyst. by asad0x01
• [May 17 - $ 750] Make products Out of Stock in Facebook Pages by Neeraj Gopal
• [Apr 01 - $ 500] Leaking of page store details by Neeraj Gopal
• [Mar 31 - $ 3000] Setting up tests for any App by Neeraj Gopal
• [Mar 27 - $ ???] Disclose-Page-Admins-Via-Watch-Parties-In-A-Facebook-Group by Philippe Harewood
• [Mar 16 - $ 1000] See unpublished jobs of any page. by asad0x01
• [Mar 16 - $ ???] View-Facebook-Friends-For-Any-User by Philippe Harewood
• [Mar 15 - $ ???] Disclose-Facebook-Page-Admins-Via-Facebook-Camera-Effects by Philippe Harewood
• [Mar 16 - $ ???] View-Private-Instagram-Photos by Philippe Harewood
• [Mar 13 - $ ???] View-The-Facebook-Stories-For-Any-Media-Effect by Philippe Harewood
• [Mar 10 - $ ???] Access to FBConnections by Philippe Harewood
• [Feb 24 - $ 1,500] How I was able to delete any image in Facebook community by Sarmad Hassan
• [Feb 23 - $ ???] Disclose-Facebook-Page-Admins-In-3d by Philippe Harewood
• [Feb 21 - $ ???] Change-The-Background-Of-3d-Posts-For-Any-Facebook-User by Philippe Harewood
• [Feb 11 - $ ???] Create-Learning-Units-For-Any-Group by Philippe Harewood
• [Jan 22 - $ ???] Path-Disclosure-In-Instagram-Ads-Graphql by Philippe Harewood
• [Jan 16 - $ ???] View-The-Vr-Experiences-For-Any-Oculus-User by Philippe Harewood
• [Jan 15 - $ ???] View-The-Email-Subscriptions-For-Any-Oculus-User by Philippe Harewood
• [Jan 15 - $ ???] View-The-Bug-Subscriptions-For-Any-Oculus-User by Philippe Harewood
• [Jan 10 - $ ???] Unintended-Control-Over-The-Email-Body-In-Partner-Integration-Email-Instructions/ by Philippe Harewood
• [Jan 05 - $ ???] Disclose-Page-Admins-Via-Our-Story-Feature by Philippe Harewood

2017:

• [Dec 26 - $ ???] Facebook-Ad-Spend-Details-Leaking-For-Facebook-Marketing by Philippe Harewood
• [Dec 21 - $ ???] Searching-Internal-Gatekeeper-Constants by Philippe Harewood
• [Oct 24 - $ ???] Make-Recruiting-Referrals-On-Behalf-Of-Facebook by Philippe Harewood
• [Oct 26 - $ ???] Posting-Gifs-As-Anyone-On-Facebook by Philippe Harewood
• [Oct 11 - $ ???] View-Former-Members-Of-A-Facebook-Group by Philippe Harewood
• [Oct 08 - $ ???] Facebook-Graphql-Csrf by Philippe Harewood
• [Sep 18 - $ ???] Disclose-Users-With-Roles-On-Facebook-Pages by Philippe Harewood
• [Aug 24 - $ ???] Facebook-Stories-Disclose-Facebook-Friend-List by Philippe Harewood
• [May 11 - $ ???] Find-Mingle-Suggestions-For-Any-Facebook-User-Revisited by Philippe Harewood
• [May 08 - $ ???] Determine-A-User-From-A-Private-Phone-Number by Philippe Harewood
• [Mar 24 - $ ???] Find-Instagram-Contacts-For-Any-User-On-Facebook by Philippe Harewood
• [Feb 02 - $ ???] Find-Mingle-Suggestions-For-Any-Facebook-User by Philippe Harewood
• [Jan 20 - $ ???] Delete-A-Hotel-Object-From-A-Facebook-Product-Catalog by Philippe Harewood
• [Jan 04 - $ ???] See-If-Any-Facebook-User-Is-Marked-In-A-Crisis by Philippe Harewood
• [Jan 04 - $ ???] Order-Facebook-Friends-By-Facebook-Recruiting-Technical-Coefficient by Philippe Harewood