I’m gonna start this write-up as a story. This was about 9:00 pm, I was…
Diogo Real Posts
Due to missing X-Frame-Options on some Instagram pages it is possible to disclose the following users private information:
First name, last name, mobile number, email address, birthday, user biography, etc.
Even if the user account is private an attacker could get target Instagram private data.
This method allows me to impersonate any domain including Facebook domains.
Imagine an attacker can send a phishing page via chat that he controls and impersonate Facebook.
Or the attacker manages to attack other websites of which have send button and change source code “data-href” parameter on the website and every content users share will go to attacker website.
This report was a resubmission after the first report:
I had deepened my research, I also managed to found that this flaw not only affects Facebook, but also Instagram. This issue can be reproduced at all browsers.
Last month I reported a security issue to Badoo concerning a method that allows to…
I found an open redirect on Facebook as I was looking for possible open redirects.
I created an app and used one of my domains to replicate the issue:
Last month I reported a Privacy / Authentication issue to Facebook concerning a method that allows to bypass the reauthentication when you want to add a user to manage Facebook page.