
Disclose All Facebook Private Primary E-mail Addresses - dsr12
https://www.youtube.com/watch?v=RkRKTH7fXqQ
======
arkadiyt
As someone on the receiving side of bug bounty reports, PoC videos are usually
the worst way to go. A clean writeup is 100x better and easier to figure out.

The actual bug here looks to be that the reporter is able to add themselves as
an admin to any account via insecure direct object reference (IDOR), after
which they can query the users' account information. Good find and worth the
$5k reward they got for it.

However, publishing a video with them fetching PII data and displaying the
data seems grossly irresponsible (and illegal depending on the jurisdiction).

