How I Bypassed Facebook CSRF again!

Posted by Pouya Darabi On Tuesday, May 17, 2016 7 comments






I found a vulnerability in Facebook that allowed me to send a POST request with CSRF token to any Facebook endpoints or external hosts!

It was very similar to this bug which I found in 2015.


Facebook - How I bypassed Facebook CSRF Protection 2015

Posted by Pouya Darabi On Thursday, April 9, 2015 33 comments




bypass facebook csrf 2015



I discovered a critical vulnerability in Facebook that allowed an attacker to bypasses Facebook CSRF protection!

more information about CSRF at owasp

Facebook - bypass ads account's roles vulnerability 2015

Posted by Pouya Darabi On Sunday, March 15, 2015 1 comments


facebook exploit 2015





I discovered a vulnerability in Facebook that allowed a normal user in ad account to get unauthorized admin access in that ad account

admins in ad account  can add any user to their ad account with these 3 type of  role :

  1. admin
  2. advertiser
  3. analyst
read more about these roles link