This was on a private bounty program. I have redacted all the info related to the program. Enjoy! Out of Band XML External Entity Injection via SAML – redacted

Originally I just had default administrator credentials then I poked around for less than 10 minutes and found a configuration export which allowed me to export files with root privileges. Attached…

I initially found this issue on a bounty, however it was marked out of scope on a third party provider. It may be possible to turn this into a RCE. Since I had no reason to escalate since no paymen…

SSRF 1 This SSRF allowed me to view local files on the host as well as port scan internal hosts. Reading /etc/passwd using the file protocol. Brute-forcing for log files using BurpSuite Intruder: S…

This XSS was via embedly which controls the content-type response to image types. Luckily .svg was allowed. I used this blog to help create a .svg that contained XSS.   PoC: <?xml version=&…

JFrog Artifactory XXE

Meta Rayban Stories has lower-level settings to change via the View (Assistant app) for example enable Assistant change inner LED notification level change volume Since the method for these settings are shared for other options defined in the firmware, it…

There is a XController that allows information to be returned about an Instagram user. This feature discloses the country of a private account. Even if this feature is an ad tool, this does not support the privacy of a private account. Additionally the owner…

There is a root GraphQL query that gives one access to numerous CrowdTangle API calls including one that lists the deleted objects for popular Facebook entities by date. Regular users shouldn’t have access to CrowdTangle this way. The data was of the form…

Facebook allows a user or page (gaming creator) to delegate users as community managers (CM) for moderating comments on live gaming videos. When a user invites a person as a CM, this will add the person to a pending community manager list. It’s assumed that…

Facebook campus is a special group that needs an .edu styled email to gain access.It is possible to list members of a campus because the child groups list members. Timeline Jul 14, 2021 – Report sentJul 23, 2021 – Fixed by Facebook

The KnowledgeNote GraphQL object has a field which shows the user who last edited a note. All notes in Facebook are of type KnowledgeNote. Timeline Jul 12, 2021 – Report sentJul 19, 2021 – Fixed by Facebook

The Facebook GraphQL Page object has a field page_owner_name which discloses the owner of a page. Timeline Jul 12, 2021 – Report sentJul 14, 2021 – Fixed by Facebook

The GraphQL Application has two fields (“created_by_name”, “created_by_uid”) that allow for disclosure of the creator of a Facebook application Timeline Jul 11, 2021 – Report sentJul 14, 2021 – Fixed by Facebook

Bulletin.com is Facebook’s new publication service. The VoiceCreator object in GraphQL has no apparent permissions, this means I can list the subscribers of a podcast/publication by email address.query a {bulletin_browse_publications(){__typename,publica…

I've been doing bug bounties for over 10 years now and over time, I have grown fonder of the life changing effects it has had for me. From job prospects, to being able to financially support those around me and myself. I believe that if you're passionate…

TL;DR when money is involved, things can get ugly. Your best bet is to be clear about the terms up-front and stick to the 50/50 rule. Don't share information with people you don't have the privilege to.

The thing that frustrates me about the bug bounty community…

In the last few days, I have been able to have productive conversations with my peers in the bug bounty community including Patrik who works on the triage team and Luke who leads community efforts from HackerOne. Patrik has helped clear up misconceptions…

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.