| 4168 | Reply To Instagram Stories where privacy of who can reply is set to Nobody’. |
Authorization flaw |
Meta / Facebook |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2019-04-30 | 2023-06-13 |
| 4150 | Bypassing Instagram’s stories restriction |
Logic flaw |
Meta / Facebook |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2019-05-17 | 2023-06-13 |
| 4018 | XX to XXX in one day |
Account takeover
Parameter tampering |
WePay |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2019-07-23 | 2023-06-13 |
| 3962 | Sending Message as page being an analyst/ advertiser? |
Authorization flaw |
Meta / Facebook |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2019-08-21 | 2023-06-13 |
| 3829 | Bypassing the patch for my previous Instagram bug. |
Authorization flaw
Logic flaw |
Meta / Facebook |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2019-11-18 | 2023-06-13 |
| 3818 | Reply To Instagram Stories where privacy of who can reply is set to Nobody’. (Part 2) |
Authorization flaw |
Meta / Facebook |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2019-11-21 | 2023-06-13 |
| 3735 | How I found a Privilege Escalation Bug in a private Ecommerce? |
Privilege escalation |
NA |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2020-01-06 | 2023-06-13 |
| 3531 | Hiding ourself in close friend’s list and avoiding victim to remove us from his close friend’s list. |
Authorization flaw
Logic flaw |
Meta / Facebook |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2020-04-23 | 2023-06-13 |
| 3167 | How often do we overlook vulnerabilities? |
Information disclosure |
HackerOne |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2020-09-09 | 2023-06-13 |
| 2974 | Hiding from a custom list is possible on who sees our post is possible making victim not remove them from the list. |
Logic flaw |
Meta / Facebook |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2020-12-11 | 2023-06-13 |
| 2967 | Disclosing the members of private Facebook Group as a non-member. |
Authorization flaw
Logic flaw |
Meta / Facebook |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2020-12-15 | 2023-06-13 |
| 2949 | Hiding from custom story privacy list is possible in FBlite making the victim unable to remove you from the list. |
Logic flaw |
Meta / Facebook |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2020-12-24 | 2023-06-13 |
| 2718 | Facebook Group Members Disclosure. |
Information disclosure |
Meta / Facebook |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2021-03-15 | 2023-06-13 |
| 2717 | De-anonymize the members of a private Facebook Group as a non-member. |
GraphQL
Information disclosure |
Meta / Facebook |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2021-03-15 | 2023-06-13 |
| 2613 | Page Owners Can’t remove or change page roles of deactivated users (or if Attacker blocks the page owner) in Facebook Lite, Facebook for Android and touch.facebook.com |
Logic flaw |
Meta / Facebook |
Baibhav Anand (@SpongeBhav) |
Bug Bounty | 2021-04-22 | 2023-06-13 |
