Family Guy | The Quest for Stuff

Missing Authorization check while deleting App Review for Marketing API Peter, was enjoying the weekend, and he heard Lois screaming. Hey, Peter, when are we getting new Television: Well, huh!!! Alright… Let's find something Honey :p  Facebook has an option for App Review for Marketing API: This privilege is only given to app admin: App Review can only be submitted by app admins. Please contact an admin on the app to submit this app for review. Impact: A developer can change the app submission settings which can only be done by an admin and can also play with current submission settings. here's the official documentation: Facebook developer's documentation The authorization check for the developer is missing on backend for the add/delete requests. Peter being a developer was able to delete the added submissions(despite of having them disabled on front end) Steps to replicate: 1. create a test app, 2. add admin A and developer B 3. from developer B’...

Facebook BugBounty: Intercept incoming friend requests of Victim add/accept to your facebook account: Product/URL:   Facebook android app on facebook Description and Impact The issue: Missing authorisation check while accessing friend request API on android app,  an attacker can add friend requests of any facebook user into his own account. in simple words Peter says: Wait, what, no, no, Peter is a nice fellow. Peter: Ok, but still  Its like I can intercept and accept friend requests from someone which was send to some other user via Facebook send friend request to contacts option. Let's report!! Sceanrio: X sends friends request by contacts option to Y. And I can get the request which was send to Y and become friend with X. Reproduction Instructions/Proof of Concept: 1. install latest android app.  2. Create new account.  3. Enter a random mobile number[victim's]. 4. Enter a good name. 5. Enter gender. 6. You ...