He forgot to mention m.facebook.com . There have been many issues over the years with the mobile site that didn't exist on the main site. Examples:<p>1) You could invite <i>anyone</i> to a Facebook event via their Facebook ID by simply doing an HTTP post of Facebook ID's to the event invitation script on this domain, but not on the main site. For some reason, on the mobile site they didn't implement the check to see if you were actually friends with the invitee. Since FB sends an email to each invitee, this was an enormous spamming loophole for quite a while.<p>2) For a long time, there was no frame-breaking script on m.facebook.com. You could clickjack essentially anything on Facebook this way. Years ago I did a proof-of-concept on this where I clickjacked a platform app authorization, which let me receive the name, email, and other profile info of any user that did nothing more than click the X button on an annoying overlay I put on the screen.
Nice. Although I'm still on the fence about bug bounties at their current price, as I can't help but see this as potentially manipulative, like hackathons where a company owns what you make, this guided hacking seems to be taking advantage of people's passions in order to underpay them for work.<p>But, I can't really say it's underpaid, as I have no idea what the black market for exploits is like, so maybe they are fairly paid.
"Facebook’s internal network where employees turn those gears so you can scroll past that “10 Things You Love About Potatoes” BuzzFeed article one more time."