Pranav Hivarekar's Security Blog

REST-API Lover | Security Researcher | API Coder | Ambivert | GET /noob

Facebook's Bug - Delete any video from Facebook

The story I came across a note New: Videos in Comments! written by Bob Baldwin who works at Facebook. This note was about Facebook launching it's new feature of commenting using videos. eg. Now, users were allowed to upload a video in comments. When I saw this note, at that…

Continue reading

Facebook's Bug - Fooling Graph Search to Bypass Privacy Restrictions & Extract Private Information

Description I was able to fool Facebook's Graph Search and bypass privacy restrictions and extract sensitive information about user's applications and pages. I was able to get applications used by any user, regardless of privacy settings set to Only Me and also I was able to get Pages liked by…

Continue reading

DropBox's Critical Bug - App having ONLY access to `App folder` being able to post and enumerate files in/of any folder

Description Dropbox offers two Api's ... Core Api ( Business Api ( Both the Api's have different permission models i.e different and distinct scope permissions are available for both the apis. I was testing the Core Api and I found…

Continue reading

Facebook's API Bug - Exposure of `unpublished links` over graph api

Description The endpoint /me/links is undocumented. We cannot find documentation about how to deal with this endpoint. But combining few api calls we can create unpublished posts. More information about creating unpublished posts can be found here. It states that, "It is possible to add some content to the…

Continue reading

Facebook's API Bug - Add/Remove `videos` from `video playlists` using an `user access_token` with `public_profile` permissions

Description The endpoint /{videolist_id}/videos is undocumented. So, we cannot find any real documentation about this on developer's site. But still using analogy between other endpoints and this endpoint we can guess the working. Facebook recently released new features for pages. This was the one. Now, we can upload…

Continue reading