Flawminers Blog

  • From empty page to POST based JSON XSS

    From empty page to POST based JSON XSS

    Hello bug bounty hunters . This is Daoud Youssef a part time bug bounty hunter and Co-founder of flawminers.com . Today I would like to show you a vulnerability I have discovered recently and it has small tips and tricks could be useful to anyone found the same vulnerability so let’s begin .I have been invited to a…

  • Subscription price manipulation in Wt.Social

    Subscription price manipulation in Wt.Social

    Introduction WT:Social, also known as WikiTribune Social, is an American micro-blogging and social networking service on which users contribute to “subwikis.” It was founded in October 2019 by Wikipedia co-founder Jimmy Wales as an alternative to Facebook and Twitter.The service contains no advertisements, and runs off of donations. As of mid-November 2019, it claimed over…

  • Account Take Over in Wt.Social

    Account Take Over in Wt.Social

    Introduction WT:Social, also known as WikiTribune Social, is an American micro-blogging and social networking service on which users contribute to “subwikis.” It was founded in October 2019 by Wikipedia co-founder Jimmy Wales as an alternative to Facebook and Twitter.The service contains no advertisements, and runs off of donations. As of mid-November 2019, it claimed over…

  • Add comment on a private Oculus Developer support

    Add comment on a private Oculus Developer support

    Introduction Oculus Developer support is the dedicated hub for developers and creators seeking to explore the limitless possibilities of virtual reality (VR) on the Oculus platform for more details see https://developer.oculus.com/support/ The finding Having previously tested Oculus a few months ago without uncovering any bugs, I revisited the platform on September 17th for a fresh…

  • Sign up for Brand Collabs Manager on behalf of other page admins – Privilege Escalation

    Sign up for Brand Collabs Manager on behalf of other page admins – Privilege Escalation

    Introduction Brand Collabs Manager serves as a dynamic marketplace facilitating seamless connections between brands and creators, empowering them to discover, understand, and engage with each other’s potential. Located within Facebook page settings, the application process is typically exclusive to page administrators. Through this platform, administrators can apply and sign up as either a “creator” or…

  • Break saved option for other users in facebook – From N/A to valid bug

    Break saved option for other users in facebook – From N/A to valid bug

    Introduction In 2018, I discovered a vulnerability within the ‘Saved’ option on Facebook, allowing me to break my saved items. Since the impact was limited to my own account, I refrained from reporting it to the Facebook Security Team, considering it non-applicable (N/A) similar to finding a ‘Self XSS.’ In 2019, I revisited the issue…

  • Persistent Distorted Posts Issue and Unremovable Content in Facebook Group

    Persistent Distorted Posts Issue and Unremovable Content in Facebook Group

    Introduction Facebook recently added a new group type option called “Social Learning”. Groups classified in this way gain access to the new “Units feature”, which allows you to leverage the group as a platform for online course content or to simply organize your posts by topic. for more details see https://www.facebook.com/help/184985882229224 The finding During the…

  • Disclose private mockups for other users in facebook Creative Hub

    Disclose private mockups for other users in facebook Creative Hub

    Introduction Facebook offers a powerful feature known as “Creative Hub,” designed to serve as a collaborative platform for businesses. This tool facilitates the creation of ad mockups and provides a space for learning and drawing inspiration from creative possibilities without requiring any specific design skills or prior experience with Facebook advertising. For in-depth information, visit…

  • How I found a simple bug in Facebook events without any Test

    How I found a simple bug in Facebook events without any Test

    Introduction A Facebook event is a feature that allows Facebook users or page operators to create a calendar-based invitation to an event. A Facebook event can be sent to a select group of people and will include information about the event, the time and date of the event and even images related to the event.…

  • Bypass Admin approval, Mute Member and Posting Permissions for Only admins in Facebook groups

    Bypass Admin approval, Mute Member and Posting Permissions for Only admins in Facebook groups

    Introduction While reviewing my old notes on my computer, I came across the following entry: So, what exactly is the Watch Party Option? The Watch Party Option is an innovative feature within Facebook groups that empowers not only Group admins but also regular members to select any public video on Facebook and present it simultaneously…

Get In Touch