Moaz Adel

Vulnerability Report - Facebook Events / Block Bypass Hello, Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows an attacker to prevent any Facebook user from blocking them. Description of Vulnerability: 1. On Facebook Events you can go to: https://www.facebook.com/events/create/ and create a recurring event — which is simply a single event that repeats at different time intervals. 2. If you create a recurring event and then delete that recurring event, any Facebook user who tries to block you on Facebook will encounter an error message that prevents them from doing so. Exploitation Scenario: 1. The attacker wants to prevent any Facebook user from blocking them permanently. 2. The attacker goes to: https://www.facebook.com/events/create/ , clicks “Repeat event”, sets it to repeat twice, then clicks “Create event”. 3. The attacker deletes this recurring even...

Teleport | Report #2281075 | HackerOne Link to YouTube Video 259 #2281075 Copy report id Copy report id access list owner can escalate his role to the highest roles Add Hacker summary Timeline · export moaz219 submitted a report to Teleport . December 11, 2023, 6:28pm UTC Menu Menu Summary: Go to [your-domain.teleport.sh/web/accesslists]. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role. Add a user as the Access List Owner. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating their own account's role. This is a prohibited procedure, as stated here , that Owners are not able to control what roles and traits are granted by the Access List. Steps To Reproduce: From Organization Owner Account: Go to [your-domain.teleport.sh/web/accesslists]. Create a new access list. Add a user as List Owner. Add a role to "R...