WRITEUP #3036

Missing rate-limiting. How I was able to add any unowned phone number to my Facebook account? (Bounty: 5000 USD)

RCEOTP bruteforceLack of rate limiting

by@theshubh77(Shubham Bhamare)

Bounty

5,000

Program

Meta / Facebook

Published

Jan 31, 2022

Added to HackDex

Sep 15, 2022

Read Full Writeuphttps://theshubh77.medium.com/write-up-missing-rate-limiting-how-i-was-able-to-add-any-unowned-phone-number-to-my-fb-account-fe4d7e67cf10

▸ RELATED WRITEUPS

Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens

RCEBruteforce

$500 for Cracking Invitation Code For Unauthorized Access & Account Takeover

RCEOTP bruteforce

Vulnerabilities in Open Source C2 Frameworks

RCEOS command injection

[2,500$ Bug Bounty Write-Up] Remote Code Execution (RCE) via unclaimed Node package

RCEDependency confusion

Attacking PowerShell CLIXML Deserialization

DeserializationInsecure deserialization

Built with ❤️ by Shubham Rawat