XSS on Facebook’s acquisition Oculus CDN Server
I would suggest you first to read the previous post here. How I bypassed Facebook CDN content’s signature protection. Oculus acquired by Facebook and Oculus CDN Server is also in the scope of the Facebook Bug Bounty Program. The same bug was present on “oculuscdn.com”. On “oculuscdn.com” the bug was very simple and straightforward. Just […]
Read More →
XSS on Facebook-Instagram CDN Server bypassing signature protection
Facebook and Instagram all photos/videos and more content are stored on their CDN Server. Such one of “*.fbcdn.net” and “*.cdninstagram.com” and they served via various sub-domains. Those all of the photos/videos on CDN Server contain a signature in the URL (various parameters “oh” and “oe” etc), which causes an error to be thrown if we […]
Read More →
Facebook Source Code disclosure in ads API
Facebook Ads Manager allows users to create and publish ads to Facebook. When users upload their images using User Interface, Facebook uploads those Ad Images through Graph API in the owner’s ad_account. Endpoint weaknesses was uploading a corrupted image or invalid BASE64 string then the application does not properly handle exception errors that occur during […]
Read More →