A tale of Bug Bounties

Hi, This is my second blog post regarding one of my findings in Facebook's Business Manager. Bug: Bug in Business Manager which allows an attacker to completely disable a page admin's access to his page's Page Roles Settings. This exploit works in the below scenario: -->Attacker has a Business Manager account --> Victim does not have any Business Manager Account(ie, victim just has some normal Facebook pages which he owns) In Business Manager, users can add new apps or request access to an app owned by other business accounts. If you want to request access to an app, you just need to enter the APP ID and click on "Request App" so that the admin can grant you the access after receiving the request. The request to a new app is created using the below graph api call with a valid access token POST /v2.10/951117391698528/sent_requests It looks for mainly two parameters :object_id and brand id object_id: The id of the app to which you n...

This is my first blog post. I started bug hunting on Facebook from 2016 and got listed in Facebook's   Hall of Fame  of 2016 and 2017 for finding various bugs. I thank all the people who supported me till here especially my best friend Shaila. I will be posting my findings/thoughts here. Bug :Validation missing in "oauth_token"("facebook.com/twitter" end point) allows an attacker to link his twitter account to victim's page even after victim removes attacker's admin role on victim's page. The end point "https://www.facebook.com/twitter/?setup=1" allows a user to link his account/page to a twitter account. To link a page to twitter account, you need to go to this url and click on the "Link to Twitter" button which will generate a url which look like "https://twitter.com/oauth/authorize?oauth_token=Z2lV-AAAAAAAADeMAAABW9-WtA8" Once the user clicks on Authorize app, the account/page selected will get linked to t...