Back to directory

WRITEUP #3767

Account takeover of Instagram accounts due to unrestricted permissions of third-party application’s generated tokens

OAuthBroken authorizationAccount takeover

by@samm0uda(Youssef Sammouda)

Bounty

18,000

Program

Meta / Facebook

Published

May 5, 2021

Added to HackDex

Sep 15, 2022

Read Full Writeuphttps://ysamm.com/?p=684

▸ RELATED WRITEUPS

How 1 Exposed Honeywell API Gave us Control Over an Internal Engineering System

ReconMissing authentication

Stealing First Party Access Token of Facebook Users: Meta Bug Bounty

OAuthAccount takeover

Self XSS + Login CSRF + OAuth = Account Takeover

Auth BypassAccount takeover

Interesting Story of an Account Takeover Vulnerability

Auth BypassAccount takeover

Self-XSS to ATO via Site Features

Built with ❤️ by Shubham Rawat