Diogo Real Posts

April 27, 2017 / / Bug bounty

Instagram vulnerability disclose users information report:

Due to missing X-Frame-Options on some Instagram pages it is possible to disclose the following users private information:

First name, last name, mobile number, email address, birthday, user biography, etc.

Even if the user account is private an attacker could get target Instagram private data.

December 26, 2016 / / Bug bounty

Facebook open graph vulnerability report:

This method allows me to impersonate any domain including Facebook domains.
Imagine an attacker can send a phishing page via chat that he controls and impersonate Facebook.
Or the attacker manages to attack other websites of which have send button and change source code “data-href” parameter on the website and every content users share will go to attacker website.

December 6, 2016 / / Bug bounty
November 30, 2016 / / Bug bounty
November 25, 2016 / / Bug bounty

Facebook vulnerable open redirect report:

I found an open redirect on Facebook as I was looking for possible open redirects.

I created an app and used one of my domains to replicate the issue:

https://www.facebook.com/dialog/share?app_id=1305980872765022&display=popup&href=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D1DWiB7ZuLvI&feature=share&redirect_uri=http%3A%2F%2Ffacebookwhitehat.tk

In order to make it work, while browsing the link shown above, the user needs to click “cancel” or “share” buttons to get redirected.

June 15, 2016 / / Bug bounty

Report Facebook reauthentication bypass bug bounty:

Last month I reported a Privacy / Authentication issue to Facebook concerning a method that allows to bypass the reauthentication when you want to add an user to manage Facebook page.