Intro To facebook Bug Bounty

Web developer from BNYMellonTech

Title Text

 * @author Raja Sekar Durairaj
 * @company BNY Mellon Technology Pvt Ltd 
 * @socialMedia
 * @topic-title Intro to FB Bug Bounty
const meetup = new NullChennai();

const speaker = meetup.getSpeaker('Rajsek');


    Hi... i am "Raja Sekar Durairaj"
    Full stack developer "@BNY Mellon Tech Pvt Ltd".
    Makes Facebook a safer place
    Read lot of things & write few thigns in medium 
    blog ""

    "Intro to FB Bug Bounty 💰 💸"



Facebook WhiteHat Program

- Bug bounties are programs that let security researchers submit potential flaws and vulnerabilities in a company's software.
- ​It launched in 2011, is one of the oldest and most mature in the industry.


Place To Report :

Products In-Scope : Facebook - Web, Facebook - iOS, Facebook - Android, Messenger,  Instagram, WhatsApp, Oculus ,Open Source (e.g. HHVM)Third Party Apps

Valnerability Type  : Access Token Disclosure, Account Takeover, Clickjacking, Code Execution, Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), Database Injection, Denial-of-Service (DoS), Memory Corruption, Open Redirect, Privacy / Authorization, Rate Limiting, Server-Side Request Forgery (SSRF), Other

Things I reported

"Thanks to the Community Groups(Null Chennai) and Info security blogs."

Birth Year Disclosed

Birth Year Disclosed

Full DoB


Full DoB


And Few more...

you can read it at

Facebook Graph API

Facebook Graph API


  • The Graph API is an interface utilising various calls through
  • The calls that we will use are either publicly accessible or need some form of authorisation via an access token.
  • The access token is your key to city, but each city has different keys.
  • So get it right and be sure you know where you at.
  • Start by using a user access token . This can be used to make requests to the - Facebook API on behalf of the user. Most of the time, this is all you need




Text are extracted from this link

What it does:

Look for other Domains

(,,,, and etc)

Rate Limit Reports

Rate Limit

  • Some Time before Anand Prakesh looked out for the rate limiting was missing on forgot password endpoints on and (link)

  • Arun Suresh Kumar, 21, of Kollam Found similar bug in other domain. (link)

IP Rotation


Similar instgram account take over using IP rotate attak on password rest (link)




What it does:

FB Business Manager Portal

FB Developer Portal

Internal API(mobile,Web)

Internal API(mobile API's)

  • Certificate Pinning normally protects traffic that originates from Facebook mobile apps against sniffing operations.
  • But according to Facebook, when security researchers turn on the "Whitehat Settings" option, Facebook will intentionally break its Certificate Pinning mechanism for that account,
  • so the researcher can intercept, sniff, and analyze the traffic that originates from within.The calls that we will use are either publicly accessible or need some form of authorisation via an access token. (link)



Internal API(mobile API's)

New Whitehat Settings


By raji sekar


  • 763