Back to directory

WRITEUP #3871

Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow

Auth BypassAccount takeoverOAuthOpen redirect

by@samm0uda(Youssef Sammouda)

Bounty

12,000

Program

Meta / Facebook

Published

Apr 1, 2021

Added to HackDex

Sep 15, 2022

Read Full Writeuphttps://ysamm.com/?p=646

▸ RELATED WRITEUPS

Self XSS + Login CSRF + OAuth = Account Takeover

Auth BypassAccount takeover

Interesting Story of an Account Takeover Vulnerability

Auth BypassAccount takeover

Instagram and Meta 2FA Bypass by Unprotected Backup Code Retrieval in Accounts Center

Auth Bypass2FA / MFA bypass

Forced SSO Session Fixation

Account takeover on 8 years old public program

Auth BypassAccount takeover

Built with ❤️ by Shubham Rawat