Pranav Hivarekar's Security Blog

REST-API Lover | Security Researcher | API Coder | Ambivert | GET /noob

Home     About      Favorite Books      Join Security Thursday     

Facebook's API Bug - Add/Remove `videos` from `video playlists` using an `user access_token` with `public_profile` permissions

Description The endpoint /{videolist_id}/videos is undocumented. So, we cannot find any real documentation about this on developer's site. But still using analogy between other endpoints and this endpoint we can guess the working. Facebook recently released new features for pages. This was the one. Now, we can upload…

Continue reading

Facebook's API Bug - Delete a photo posted on a page using an `user access_token` withOUT `manage_pages` permissions

Description According to the documentation mentioned here (, app can delete a photo by following the stipulated conditions ... A user access token with publish_actions permission is required to remove a user's photos. A page access token or a user…

Continue reading

Twitter's Bug - Importing contacts (OAuth Flaw)

Introduction About Twitter's OAuth Integrations Twitter is using many third party OAuth integrations like Gmail, AOL, Outlook, Yahoo, etc. These third party integrations are used so that they can provide an easy way for their users to Import Contacts from these sites. eg. If an user is having many email…

Continue reading

HackerOne Bug - Redirect Filter Bypass and Open Redirector

What is Open Redirector ? Open Redirect vulnerability allows attacker of an web application to redirect users to any external sites. Here, there is no validation of the passed input by attacker. This is basically used in phishing attacks. eg. Here, if…

Continue reading