This is my first blog post. I started bug hunting on Facebook from 2016 and got listed in Facebook's Hall of Fame of 2016 and 2017 for finding various bugs. I thank all the people who supported me till here especially my best friend Shaila. I will be posting my findings/thoughts here. Bug :Validation missing in "oauth_token"("facebook.com/twitter" end point) allows an attacker to link his twitter account to victim's page even after victim removes attacker's admin role on victim's page. The end point "https://www.facebook.com/twitter/?setup=1" allows a user to link his account/page to a twitter account. To link a page to twitter account, you need to go to this url and click on the "Link to Twitter" button which will generate a url which look like "https://twitter.com/oauth/authorize?oauth_token=Z2lV-AAAAAAAADeMAAABW9-WtA8" Once the user clicks on Authorize app, the account/page selected will get linked to t...
I am Neeraj Gopal. I'm a Security Analyst at Facebook. I'm interested in web application security. I like finding loopholes in Web applications and participating in various bug bounty programs. My posts are my own and do not necessarily reflect the views and opinions of my employer.