Baibhav Anand Jha


$~# whoami
Baibhav Anand Jha
I do bug-bounties
I develop
I learn
I hack
He/Him

 

      

BLOGS


Page Owners Can't remove or change page roles of deactivated users (or if Attacker blocks the page owner) in Facebook Lite, Facebook for Android and touch.facebook.com

Date: April 22, 2021 | 2 minutes read.

If the attacker deactivates his account or blocks the Page Owner, Page Owner will not be able to remove or change the attacker’s p…
Read More…



De-anonymize the members of a private Facebook Group as a non-member.

Date: March 15, 2021. | 2 minutes read.

A Non-member can determine if someone is the member of a private group or not via CometHovercardQueryRendererQuery graphQL mutat…
Read More…



Hiding from custom story privacy list is possible in FBlite making the victim unable to remove you from the list.

Date: December 24, 2020. | 2 minutes read.

Attacker can hide himself in the custom story privacy settings in Facebook Lite app making victim unable to remove him from the l…
Read More…



Disclosing the members of private Facebook Group as a non-member.

Date: December 15, 2020 | 2 minutes read

It was possible to know if someone was a member of a private group or not via the group profile view endpoint in Facebook lite…
Read More…



Hiding from a custom list is possible on who sees our post is possible making victim not remove them from the list.

Date: December 11, 2020 | 2 minutes read.

Attacker can hide in the specific friends list so that victim can’t see him while updating the list in the next post and attacke…
Read More…



How Often Do we Overlook Vulnerabilities?

Date: September 9, 2020 | 4 minutes read.

“7/10 vulnerabilities are often overlooked by hackers.” -Aristotle. I don’t know if that’s true, I just made that up. Anyway, Th…
Read More…



Hiding ourself in close friend's list and avoiding victim to remove us from his close friend's list.

Date: April 23, 2020 | 2 minutes read.

There is a feature in Facebook called close friend’s list which you can find here: https://www.facebook.com/bookmarks/lists this a…
Read More…



Reply To Instagram Stories where privacy of who can reply is set to 'Nobody'. (Part 2)

Date: October 21, 2019 | 2 minutes read.

Attacker was able to reply to Instagram stories where who can reply to the story privacy was set to ‘Nobody’. It is the bypass of…
Read More…



Reply To Instagram Stories where privacy of who can reply is set to 'Nobody'.

Date: April 30, 2019 | 2 minutes read.

Attacker was able to reply to Instagram stories where who can reply to the story privacy was set to ‘Nobody’ by popping up keyboar…
Read More…