Latest Posts

Abusing Facebooks Call To Action to launch internal deeplinks

Abusing Facebooks Call To Action to launch internal deeplinks

Ashley King 02 Feb 2022 Meta

Ever noticed that big blue button on the top of every Facebook page? This feature, known as Call to action or CTA is designed for user...

Read More
Open redirects are not dead! Or are they?

Open redirects are not dead! Or are they?

Ashley King 20 Jan 2022 Meta

Over the last few years doing bug bounties, it's becoming more and more common for companies to reject reports about Open Redirects. Once upon a...

Read More
Bypass Microsoft Teams Tenancy Permission - Edit Sent Messages

Bypass Microsoft Teams Tenancy Permission - Edit Sent Messages

Ashley King 18 Oct 2021 Microsoft

Back in December 2019 I reported a Microsoft Teams Tenancy Permission bypass that allowed a user to modify...

Read More
Abusing corporate URL shorteners

Abusing corporate URL shorteners

Ashley King 27 Jun 2021 Misc

URL shorteners are great! They allows users to turn a 200 character url into something substansially less. It's ideal for those...

Read More
Bypassing locked profile restrictions on Facebook

Bypassing locked profile restrictions on Facebook

Ashley King 02 Feb 2021 Meta

Facebook allows certain users to set their Facebook profile to be "locked". This means other users are not able to view their full profile...

Read More
Launching internal & non-exported deeplinks on Facebook

Launching internal & non-exported deeplinks on Facebook

Ashley King 28 Jan 2021 Meta

The report was submitted as a collaboration between myself and Rahul Kankrale. The split was 70% Ash & 30% Rahul. It was possible...

Read More