Archive: Nov 2018

XSS on Facebook’s acquisition Oculus CDN

This issue is very similar to my previous report. I thought, I would check same issue exist on any other acquisition by “Facebook”. Luckily same issue was present on “oculuscdn.com”. Even without Interchanging any sub domains. Proof of concept There is an endpoint allowed developers to upload application assets in their Oculus account.. All assets […]

Read More →

XSS on Facebook-Instagram CDN Server bypassing signature protection.

Facebook and Instagram all photos/videos are stored on their CDN Server “*.fbcdn.net” and “*.cdninstagram.com” and they served via various sub-domains. Those all of the photos/videos on CDN Server contain a hash in the URL (various parameters ‘oh’ and ‘oe’ etc), which causes an error to be thrown if we modify the file extension.(eg. “.jpg” to […]

Read More →

Facebook Source Code Disclosure in ads API

Previously, I was much familiar with the “Windows NT” model & it’s “Windows Phone”. I see that many guys are actively hunting Bugs on Facebook easily & Receiving a Bug Bounty Awards. So I thought, I would also join with them to appear my name on Facebook Whitehat Page. Two time already listed on Microsoft […]

Read More →