Pranav Hivarekar's Security Blog

REST-API Lover | Security Researcher | API Coder | Ambivert | GET /noob

Home     About      Favorite Books      Favorite Bugs     

Facebook's Bug - Unauthorized access to credit/prepaid card details (limited) of any user

Description There are various Facebook products like Ads Manager, Business Manager, Messenger Payments, etc. which requires an user to add some payment method to their Facebook account which can be credit card, debit card, paypal, etc. eg. If I want to run Facebook Ads then I need to add a…

Continue reading

Facebook's Bug - Delete any video from Facebook

The story I came across a note New: Videos in Comments! written by Bob Baldwin who works at Facebook. This note was about Facebook launching it's new feature of commenting using videos. eg. Now, users were allowed to upload a video in comments. When I saw this note , at that…

Continue reading

Facebook's Bug - Fooling Graph Search to Bypass Privacy Restrictions & Extract Private Information

Description I was able to fool Facebook's Graph Search and bypass privacy restrictions and extract sensitive information about user's applications and pages. I was able to get applications used by any user, regardless of privacy settings set to Only Me and also I was able to get Pages liked by…

Continue reading

DropBox's Critical Bug - App having ONLY access to `App folder` being able to post and enumerate files in/of any folder

Description Dropbox offers two Api's ... Core Api (https://www.dropbox.com/developers/core) Business Api (https://www.dropbox.com/developers/business) Both the Api's have different permission models i.e different and distinct scope permissions are available for both the apis. I was testing the Core Api and I found…

Continue reading

Facebook's API Bug - Exposure of `unpublished links` over graph api

Description The endpoint /me/links is undocumented. We cannot find documentation about how to deal with this endpoint. But combining few api calls we can create unpublished posts. More information about creating unpublished posts can be found here. It states that, "It is possible to add some content to the…

Continue reading