Diogo Real Posts

September 27, 2018 / / Research
April 27, 2017 / / Bug bounty

Due to missing X-Frame-Options on some Instagram pages it is possible to disclose the following users private information:

First name, last name, mobile number, email address, birthday, user biography, etc.

Even if the user account is private an attacker could get target Instagram private data.

December 26, 2016 / / Bug bounty

This method allows me to impersonate any domain including Facebook domains.
Imagine an attacker can send a phishing page via chat that he controls and impersonate Facebook.
Or the attacker manages to attack other websites of which have send button and change source code “data-href” parameter on the website and every content users share will go to attacker website.

December 6, 2016 / / Bug bounty
November 30, 2016 / / Bug bounty
November 25, 2016 / / Bug bounty
June 15, 2016 / / Bug bounty