Ramadan has successfully found vulnerabilities in major service providers like Google, Facebook, Twitter, Microsoft etc.
and has been rewarded with bug bounty reward by them.
An XXE (XML External Entity ) is a method that exploits a weak XML parsing mechanism.
you’re free to read more about these fixeshere.
Facebook had clarified that it had fixed all of its servers so finding another XXE vulnerability seemed highly unlikely.
Yet Ramadan decided to continue his quest.
After some digging, he came onto Facebooks career pagehttps://www.facebook.com/careers/.
He created a fake CV with forged Microsoft Word document and uploaded onto the the Facebook careers web page.
He started a HTTP server running on Python on his local machine.
Without further ado , he informed the social connection of his findings.
His findings were rejected outright the first time, with the following words.
source: www.techworm.net
