Broken session management leads to bypass 2FA and Permanent access to Facebook user’s

Mahmoud Barakat
Nov 19 · 2 min read

The story began when i received a notification from a friend about a donation campaign for his birthday. while using Facebook-App (IOS) when i tried to click donate button it redirected me to Web-browser version to make a donation using Creditcard or Paypal, throw this endpoint {/donation/login/?nonce=xxxxx&uid=xxxxxx}

Donation Feature{USER_ID}

I noticed that when go to in your Web Browser even if you didn’t signed in with your Facebook account the Facebook will automatically redirect you to your Facebook-Account without any password or any authentication !!

So I did the same scenario again but I copied the link{USER_ID} and sent it to a friend i noticed that he got access to my Facebook account without any authentication (2FA — Password) and if you tried to change your password he’ll still has access to your Facebook !!

Steps :

  1. Go to donate to any organization from Facebook App(IOS)

2. Try to make a donation
3. You will be redirected to endpoint “ “
4. Copy this link and try to use it from another device which you didn’t signed-in with your Account before.
5. Go to then you will be redirected automatically to the victim account.
6. Getting access into the Facebook account without Password or 2FA (even if the victim changed the password or remove all session you will still getting access to Facebook account.)

Impact :

  1. Permanent access to Facebook user’s.
  2. Bypassing any authentication.


June. 18, 2019 — Initial Report
June. 19, 2019 — Report Triaged
June. 21, 2019 — Fixed By Facebook
June. 21, 2019 — Fixed Confirmed
June. 27, 2019 — Bounty awarded

Bounty awarded

Happy Hacking!!


Mahmoud Barakat

Written by

Student in the morning, Hacker at night.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade