Youssef Sammouda (sam0) @samm0uda Twitter profile

Pinned Tweet

Youssef Sammouda (sam0)

@samm0uda

2 years

Multiple bugs chained to takeover Facebook Accounts which uses Gmail. ( $42k )

53

477

2K

Last Seen Profiles

@ser_bellissimo

@TTPSED1

@luximity

@JHSPHrisk

@PBNfoxt

@abokeian

@yvffies

@Badger570T

@MarianHarkin

@hiro_04_02

@NadineLMusic

@Fla100Qualidade

@AMhD89

@yammiymm

@treintoiers

@nagamikazuya

@mltpizzaGO

@yanadnadya

@stevegilbertobe

@_jacobschneider

@LeilaAmmon

@PhilippeCo2000

@ikerasoo

@official_stud20

@anm_hnt

@Candy_Sydney305

@AirbusCareers

@SHAFRConference

@sinbadism

@NBKzealot

@khangkh17094875

@justinplus

@sumedha2199

@PAHKOBA_POCA

@Onoe_Akira

@VmaniakJ

Youssef Sammouda (sam0)

@samm0uda

5 years

Data extraction bug in Facebook. Sorry, no write-up for this one for the current time! #BugBounty

66

203

1K

Youssef Sammouda (sam0)

@samm0uda

3 years

I made $222k+ from 6 bugs found in a 100 lines piece of JS code. Estimated earnings of $500k from web client-side bugs to date with multiple bugs found in browsers. Some people are still questioning web client-side bugs, don't follow them, learn JS and start examining code.

43

128

1K

Youssef Sammouda (sam0)

@samm0uda

3 years

I had a crazy week in February in which i was able to find 3 interesting account takeovers in Facebook and resulted a total of $100k in bounties. I'm sharing details about two of them and soon the third:

39

362

1K

Youssef Sammouda (sam0)

@samm0uda

3 years

Successful year i might call it.I didn't focus much on bug bounty, made ~$420k from only ~22 reports.I encourage everyone to focus on quality/severity over quantity.Spent the rest of the time chilling and working on other projects. Next year, i don't believe i'll be doing much bb

27

47

981

Youssef Sammouda (sam0)

@samm0uda

2 years

I have crossed 1,000,000$ in bounties a long time ago without even noticing lol around 93% came from @Meta , also what i'm probably most proud of is the almost ( hopefully by the end of the week ) 30 Account Takeovers found in Meta (which have technically made me the 1 million)

64

43

924

Youssef Sammouda (sam0)

@samm0uda

4 years

Facebook DOM Based XSS using postMessage. Bounty: $25k #bountycon2020

21

246

891

Youssef Sammouda (sam0)

@samm0uda

3 years

More secure Facebook Canvas : Tale of $126k worth of bugs that lead to Facebook Account Takeovers

18

269

854

Youssef Sammouda (sam0)

@samm0uda

2 years

Finally! Well, after a lot of whining about the delay i think that bonus is enough to forget it lol. Write-up soon since it's sleep time for me.

29

30

762

Youssef Sammouda (sam0)

@samm0uda

1 year

I got lucky and won the first place in Meta Bug Bounty Researcher Conference, This was a new life achievement since i made $200k+ in bounties in a single event, i guess bug bounty will always be a thing for sure in the coming years. Congrats to all other contenders. #BugBounty

78

40

743

Youssef Sammouda (sam0)

@samm0uda

3 years

Account takeover of Instagram accounts due to unrestricted permissions of third-party application's generated tokens ( $18K ) :

17

156

719

Youssef Sammouda (sam0)

@samm0uda

3 years

One-click reflected XSS in due to unfiltered URI schemes leads to account takeover ( $9600) Special thanks to @yaalaab for introducing the endpoint to me.

15

160

697

Youssef Sammouda (sam0)

@samm0uda

3 years

If you can't hack yourway into learning hacking from available resources, you don't have what it takes to be a hacker or you'll never become a great one. In other words, this is something you achieve the hard way and not something you can buy.

21

124

650

Youssef Sammouda (sam0)

@samm0uda

4 years

XSS on forums.oculusvr .com leads to Oculus and Facebook account takeovers. Special thanks to @JosipFranjkovic for previously published work on Oculus. Bounty: $30K

8

139

621

Youssef Sammouda (sam0)

@samm0uda

2 years

More secure Facebook Canvas Part 2: $100k worth of Account Takeovers: As usual, simple but critical.

29

138

614

Youssef Sammouda (sam0)

@samm0uda

3 years

You should stop acquiring certificates/diplomas and start acquiring skills. Cyber Security "alleged" companies somehow are interested in people with certs since they're more available,easy to hire at low cost. Companies with dedicated security strategies will hire hackers instead

33

89

595

Youssef Sammouda (sam0)

@samm0uda

8 months

In 2023: - I met in two occasions my hacker friends and also made new ones. - Reported 14 bugs - Made $450,000 My goals for 2024 are to grow and learn new things and share more writeups.

37

20

587

Youssef Sammouda (sam0)

@samm0uda

2 years

ATO of FB/OC accounts after stealing access_tokens ($44,250) DOM-XSS in Instant Games due to improper verifications ($62,500?) ATO in Canvas Games due to weak cross window message Origin validations ($62,500)

12

154

573

Youssef Sammouda (sam0)

@samm0uda

3 years

Facebook XSS via HTTP Response Splitting. I encountered difficulties to get this working with http/2 due to the way headers are transmitted. It worked with http/1.1 and surprisingly with http/3 (different browsers behaviours so different payloads) No write-up for this one yet!

15

70

548

Youssef Sammouda (sam0)

@samm0uda

4 years

Facebook CSRF bug which lead to Instagram Partial account takeover. Bounty: 12.500$

5

138

518

Youssef Sammouda (sam0)

@samm0uda

10 months

I got $66000 once for an XSS. The impact to the business and its users is the important thing in a report and not the bug itself.

Akita ZeN 🇦🇷

@akita_zen

10 months

@ajxchapman just an XSS, a 10k XSS .. xd

6

3

71

18

24

511

Youssef Sammouda (sam0)

@samm0uda

3 years

Let me remind you of one of the greatest security blogs i know and which i learned a lot from:

8

127

509

Youssef Sammouda (sam0)

@samm0uda

3 years

I can't say that a bug bouny hunter lifestyle is the best professionally or at personal level. Money is good but you'll get bored with time, lose your touch and even lose your purpose of doing it. Best advice to you is to just do it for fun or do something else in parallel.

23

45

485

Youssef Sammouda (sam0)

@samm0uda

4 years

Throughout this month i'll share writeups of around 50 bugs i found in Facebook. Although i already write about the interesting ones, i thought also some of these could help you someday. Stay tuned!

8

24

475

Youssef Sammouda (sam0)

@samm0uda

3 years

Here's the third bug. Multiple bugs were chained to achieve Facebook account takeover. Facebook account takeover due to unsafe redirects after the OAuth flow ( $30k )

Youssef Sammouda (sam0)

@samm0uda

3 years

I had a crazy week in February in which i was able to find 3 interesting account takeovers in Facebook and resulted a total of $100k in bounties. I'm sharing details about two of them and soon the third:

39

362

1K

12

117

469

Youssef Sammouda (sam0)

@samm0uda

1 year

Yay, I was awarded a $50,000 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - sam0

- https://ysamm.com

hackerone.com

44

15

462

Youssef Sammouda (sam0)

@samm0uda

4 years

View orders and financial reports lists for any page shop ($500) URLs in img tag aren’t safely embedded. ($500) Access employees files in internal CDNs/ Access users modified/deleted content.($12500)

8

149

448

Youssef Sammouda (sam0)

@samm0uda

4 years

Enumerate internal cached URLs which lead to data exposure ($4800) Leaking Facebook user information to external websites ($2000) Make recruiting referrals on behalf of employees ($3000)

7

154

447

Youssef Sammouda (sam0)

@samm0uda

11 months

Yay, I was awarded a $30,000 bounty on @Hacker0x01 ! #TogetherWeHitHarder Should have been another $50,000, however no consistently in payouts, going back to Meta.

HackerOne profile - sam0

- https://ysamm.com

hackerone.com

23

14

443

Youssef Sammouda (sam0)

@samm0uda

3 years

I closed my Facebook account,i couldn't stop hunting there and advance in many ways in my career. It was casual hunting for a period of 4 years making ~$800k (couple unresolved reports), i'd call that a success and move on.Thanks @fbsecurity team @phwd_ @JosipFranjkovic @vulnano

22

15

422

Youssef Sammouda (sam0)

@samm0uda

3 years

You'd like to have a successful career/journey in infosec, you feel you like everything about hacking/security? Don't start with Bug bounty, you'll never reach any goals besides some pocket change because you used this tool or you exactly followed this video/write-up.

22

67

400

Youssef Sammouda (sam0)

@samm0uda

3 years

Every time i report a bug in Hackerone, i feel i'm fighting to not get ripped off. Their triagers would try their best to find something stupid/unrelated and close your report.

38

22

390

Youssef Sammouda (sam0)

@samm0uda

2 years

Could we all agree that bug bounty hunting is not for everyone. Not gatekeeping but for god sake you need to understand that you should have a minimum amount of knowledge and experience before you do it. The amount of spamming/wrong stupid reports happening started hurting us all

16

26

373

Youssef Sammouda (sam0)

@samm0uda

3 years

Oculus SSO “Account Linking” bug leads to account takeover on third party websites and inside VR Games/Apps ($12K)

4

89

369

Youssef Sammouda (sam0)

@samm0uda

6 years

10

174

360

Youssef Sammouda (sam0)

@samm0uda

3 years

Celebrating the 100th resolved report to Facebook bug bounty program and making more than 500k in bounties. Fascinating work by the @fbsecurity and myself. Special thanks to everyone who participated and shared their findings in this program.

23

9

344

Youssef Sammouda (sam0)

@samm0uda

2 years

Recently, i found a chain of bugs that made possible to takeover any account in one of the top used online platforms. I think putting together this attack was more complicated than any Meta ATO bug i've found to date.I got 700$ for this report. Here's my thoughts on this: 1/n

12

22

305

Youssef Sammouda (sam0)

@samm0uda

4 years

Happy new year! Here a quick write-up for an interesting bug i recently found in Facebook: Bad regex used in Facebook Javascript SDK leads to account takeovers in third party websites that included it. Bounty: $10K

6

68

302

Youssef Sammouda (sam0)

@samm0uda

3 years

People are asking me about tools i use to find bugs, well there's only one that i'd recommend and been using for the last 2 years, it's called Chrome DevTools.

11

12

298

Youssef Sammouda (sam0)

@samm0uda

3 years

CVE-2021-29991. "This allowed for a header splitting attack against servers using HTTP/3." Found during the reported XSS in Facebook.

Security Vulnerabilities fixed in Firefox 91.0.1 and Thunderbird 91.0.1

www.mozilla.org

6

45

295

Youssef Sammouda (sam0)

@samm0uda

3 years

This was a simple bug but yet very effective and could have been used to build a data set of FB users and their added phone numbers similarly to how the recent leak was built. Identify a Facebook user by his phone number despite privacy settings set ( $9K)

8

50

290

Youssef Sammouda (sam0)

@samm0uda

4 years

Expose the email address of Workplace users Bounty: $5K

1

67

286

Youssef Sammouda (sam0)

@samm0uda

3 years

I feel like sharing some write-ups today.

19

3

285

Youssef Sammouda (sam0)

@samm0uda

3 years

phwd_ is back! To those who don't know him, he's the godfather of Facebook BBP. He already posted some new write-ups of SSRFs he found in FB that got him $60000. Follow him to get upcoming write-ups and make sure to check his previous ones in

8

54

275

Youssef Sammouda (sam0)

@samm0uda

3 years

Disclose unconfirmed email/phone of a Facebook user

3

40

276

Youssef Sammouda (sam0)

@samm0uda

3 years

I was supposed to prepare for a job interview this week, i ended up hunting for bugs in Facebook ( and other places ); i found 5 interesting ATOs ( This is a kind of prep for the interview right? ) . Probably, i'll get more money for these than the annual salary for this job.

16

6

278

Youssef Sammouda (sam0)

@samm0uda

2 years

There's a huge difference between the bug bounty envolving research, finding a bug, ( sometimes chaining multiple ones ), developing an exploit AND the bug bounty of subdomain&cms discovery, checking exploits for cves in github,waiting for 1day bugs and their exploits to report.

9

20

267

Youssef Sammouda (sam0)

@samm0uda

2 years

After 3 hours of being stuck in line, i had to buy everything to make it look worth it lol anyways enjoy #DEFCON30 it's awesome!

6

8

266

Youssef Sammouda (sam0)

@samm0uda

2 years

2022 recap, i went to Las Vegas and talked to awesome people for the first time in person, also rejoined friends who i didn’t meet in years. I didn’t focus much on BB, however managed to spear time for 8 bugs that somehow made me $450k. Still ranked 1st in Meta BBP. Alhamdulillah

16

2

256

Youssef Sammouda (sam0)

@samm0uda

5 years

HTML to PDF converter bug that leads to RCE in Facebook server. Not well written and screenshots are missing. I'm currently AFK so expect the write-up to be updated.

7

79

249

Youssef Sammouda (sam0)

@samm0uda

4 years

I'm officially done with Facebook Bug bounty program. Though i've been one of the top contributors to the program for the past years, currently i won't recommend it to anyone. To be honest, it's been a mess for the past year at least.

14

246

Youssef Sammouda (sam0)

@samm0uda

2 years

I guess it's enough with Account Takeover bugs writeups for now, at least for Meta. i'll be disclosing some H1 and BC bugs which have some good attacks scenarios while testing for authentication bugs. Never been through the disclosure process there so hopefully it would go smooth

4

5

248

Youssef Sammouda (sam0)

@samm0uda

2 years

With the bug bounty programs i now see and hear about, a one million dollar per year and more in bounties is now a possible thing for an experienced individual or team. I know that some people might have done it already. Just requires the consistency and time of a regular job imo

6

20

245

Youssef Sammouda (sam0)

@samm0uda

3 years

Most programs in H1 and BC are spam even ones for big companies. They're exploiting your passion and ignorance of real business impact and cost to use you. Don't fall for their point system. They created/promoted a community of minions that would do their job for some dollars 1/

22

15

237

Youssef Sammouda (sam0)

@samm0uda

2 years

Totally an underrated channel, their content is insane: @dayzerosec

DAY[0]

Previous DAY[0] podcasts as well as other reverse engineering / exploit development-related media.

www.youtube.com

8

50

241

Youssef Sammouda (sam0)

@samm0uda

3 years

I have to say i'm happy with the ~16K followers i have who are interested in my content and helps them grow, better than having 100k who might be just following cuz i'm famous, pretty or since i have nothing to do all day but posting shitty tweets or tips. Thank you all!

8

3

237

Youssef Sammouda (sam0)

@samm0uda

5 years

2019 accomplishments: - Got 250k$ in bounties from two BB programs only. - Went to my first Hacking Event and met grade people 2020 goals: - Participate more in other BB programs - Expand my knowledge to other areas like browser and mobile vulns research - Make 1m$ in bounties.

13

7

227

Youssef Sammouda (sam0)

@samm0uda

3 years

I'm looking for a job as an AppSec Engineer position. Any recommendations or offers are appreciated.

19

34

224

Youssef Sammouda (sam0)

@samm0uda

3 years

Don't do this please! XSS is a serious bug but you should show them that, stupid of them to pay 50$ for it but also you could have shown them that you can achieve Account Takeover with it, a bug that they pay way more for! #XSS_is_not_just_an_alert

Acronis disclosed on HackerOne: Stored XSS in profile page

Summary There is a stored XSS vulnerability in the users profile page. Steps: 1-Go to https://forum.acronis.com , create an user and login 2-Go to profile and edit it 3- enter javascript code in...

hackerone.com

11

29

224

Youssef Sammouda (sam0)

@samm0uda

3 years

Odd i didn't see this video before, he said everything that i would say. If you're struggling with bug bounty hunting, please take time to watch it. Yeah, i think i'll also pin this for a while!!

The Ugly Truth about Bug Bounty Hunting

Burp Suite Deep Dive course: https://bit.ly/burpforpros________________________________________________________________________________________________ Why o...

www.youtube.com

6

60

224

Youssef Sammouda (sam0)

@samm0uda

5 years

Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover

2

94

222

Youssef Sammouda (sam0)

@samm0uda

4 years

Ability to find Facebook employees test accounts and access internal information($500) (bnty?) Expose information about Partner accounts in Partner portal ($3000) Disclose internal CMS objects content($500)

2

53

217

Youssef Sammouda (sam0)

@samm0uda

3 years

1/ Here's a great tool that i think the community has missed: @mitmproxy is a great tool/library written in python and offers an interactive intercepting proxy. All my reconnaissance and automation tools are built on top of it. I barely need Burp or any GUI apps but you can use

8

24

210

Youssef Sammouda (sam0)

@samm0uda

3 years

It's been a busy week but like i promised i'll finish writing the rest of 50 write-ups ( 30 remaining i believe ) and also after completing these, i'll be sharing details of 5 interesting ATOs found on Facebook.

9

6

206

Youssef Sammouda (sam0)

@samm0uda

3 years

Well there's this cool bug that i would like to share a write-up about and each time i'm in the middle of doing that,i find a cool bypass. I think i'll keep it for now and make a write-up with all bypasses included.

3

1

206

Youssef Sammouda (sam0)

@samm0uda

3 years

Looking for a Security Engineer ( probably Analyst too ) job position in Ontario or Quebec provinces, Canada ! Any recommendations or offers are appropriated. Thanks!

15

33

205

Youssef Sammouda (sam0)

@samm0uda

5 years

Reflected XSS in graph .facebook.com which leads to account takeover in IE/Edge

5

58

196

Youssef Sammouda (sam0)

@samm0uda

2 years

I've been listed in Meta's 2022 thanks page and currently ranked first. Happy about this achievement but a little bit sad since i think i'm stuck in an infinite loop. Congratulations too to @lokeshdlk77 , Sameer and @vulnano ( and the rest ) for being in the top 10.

19

5

196

Youssef Sammouda (sam0)

@samm0uda

2 years

I encourage you to watch @0xLupin talk about chatGPT and how it find security bugs in a piece of code.Also he challenged it to find a bug i found in FB (a write-up i previously published) you can check the results: (it's in french but captions work fine)

Comment gagner 42 000$ avec ChatGPT ?

vous devriez changer votre manière de vous adresser à ChatGPT désormais👀 À ne pas manquer, Roni Carta, le hacker qui rend fou Epic Games : https://youtu.be...

www.youtube.com

2

21

192

Youssef Sammouda (sam0)

@samm0uda

3 years

Some Bug bounty programs are really untruthful. Reported an OAuth bug, got 200$ for it, after long discussions and explanation i got an extra 3400$. Now, 8 months later same bug, place, impact,priority, same program,i got 2400$, not even the same reward as before nor for P2 bugs.

12

4

188

Youssef Sammouda (sam0)

@samm0uda

2 years

Probably an old radical pov that i couldn't get rid of, but i feel uncomfortable everytime i see a hacker using Windows. No offense to anyone.

22

3

184

Youssef Sammouda (sam0)

@samm0uda

3 years

Happy to be included in Facebook's HoF for the 5th year in a row 😊. Currently first place too! Big thanks to all YES team members for their amazing work and continuous support.

9

1

177

Youssef Sammouda (sam0)

@samm0uda

3 years

The reporting and the response from Facebook for these bugs was one of the reasons i stopped participating in Facebook's BB program for a while. Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts.

3

27

178

Youssef Sammouda (sam0)

@samm0uda

2 years

I’m giving a talk during #IWCON2022 organized by @InfoSecComm , they were kind enough to share 3 tickets to the conference for a giveaway. Follow, Like and Retweet to participate in the giveaway. Winners would be announced in a week!

7

59

178

Youssef Sammouda (sam0)

@samm0uda

4 years

Disclose content of internal Facebook javascript modules ( Revisited )

1

37

170

Youssef Sammouda (sam0)

@samm0uda

3 years

Don't hunt or report to Atlassian. Untrustworthy, has no honesty regarding bounty amounts and ignore their own policy/info page. Trust me on this!

9

6

161

Youssef Sammouda (sam0)

@samm0uda

3 years

Accepted every Linkedin connection request and now my feed is full of HoF, censored Synack screenshots and payments. I guess i have to close the account now.

10

2

163

Youssef Sammouda (sam0)

@samm0uda

3 years

I don't think bug bounty hunting is amusing or has a meaning besides making money, fully securing a system is impossible while scaling and bugs would always be there. I'm sure some of us are wondering: what's next? Bounty hunters at least had fun nd action while hunting criminals

6

10

157

Youssef Sammouda (sam0)

@samm0uda

4 years

Ability to bruteforce Instagram account’s password due to lack of rate limitation protection

10

37

152

Youssef Sammouda (sam0)

@samm0uda

3 years

Found this picture from 2019 during h1-604 with the entire YES team. Rocked it back then, still do! @phwd_ @JosipFranjkovic @vulnano

6

4

153

Youssef Sammouda (sam0)

@samm0uda

2 years

@H3KTlC In cybersecurity there's always a new flaw, there's no fully secured system. So what we're doing basically is just trying, nothing more.

6

12

148

Youssef Sammouda (sam0)

@samm0uda

3 years

The perfect environment for phishing attacks specially against people who doesn't know much about infosec, be careful! #facebookdown

1

20

147

Youssef Sammouda (sam0)

@samm0uda

2 years

I’ve taken in a long break for few months, fortunately i had the chance to hunt again now and i can say that some crazy stuff were found and hopefully they’ll be shared once they’re fixed.

7

2

148

Youssef Sammouda (sam0)

@samm0uda

2 years

I'll be in Las Vegas from 2 to 14 attending #h1702 and DEFCON. If anyone wants to meet and talk sec/life, please ping me!

5

1

146

Youssef Sammouda (sam0)

@samm0uda

3 years

First time in my infosec journey i started hating anything with a mention of an RCE. Hell, i started hating Twitter with the drama each couple of days. I don't know to which platform i should move next, nothing is left i guess.

19

5

145

Youssef Sammouda (sam0)

@samm0uda

3 years

سيكون موضوع الورشة عن إيجاد الثغرات في تطبيقات الويب في جهة العميل ( Client Side ). سنتطرق لعدّة أنواع من الثغرات قليلا ما يتحدث عنها و عن استغلالها. سأتكلم إن شاء اللّه باللغة العربية. For my English speaking followers, i'll be presenting an English version of this talk soon!

Security BSides Jeddah

@JeddahBsides

3 years

نحن متحمسون للاعلان عن استضافتنا لـ @Samm0uda في #BSidesJeddah للحديث عن "صيد الثغرات" حدد يوسف عدد من الثغرات في فايسبوك وحصل على جائزة ضخمة تزيد عن ٧٧٥ ألف دولار أمريكي! #الأمن_السيبراني #BSidesJeddah #CybersecurityAwarenessMonth #cyberawareness #cybersecurity

3

6

32

17

13

142

Youssef Sammouda (sam0)

@samm0uda

2 years

Shared one post in LinkedIn and hell just broke loose in the invitations section. Didn't know there is this many number of people in Cyber Security, guess something to be happy about!

5

3

140

Youssef Sammouda (sam0)

@samm0uda

2 years

I'm attending Tunisia Cybersecurity and Cloud Expo organized by DigiLab-Express. To anyone attending, If you see me, come say hi!

9

1

143

Youssef Sammouda (sam0)

@samm0uda

4 years

I reported an account takeover to one program in hackerone that exploits a chain of bugs. The chain payload can be included in an iframe which makes the attack undetectable nd included.The website is very famous. They closed this as social engineering. Stupidity lvl undetermined.

9

5

138

Youssef Sammouda (sam0)

@samm0uda

3 years

+$42k

12

0

140

Youssef Sammouda (sam0)

@samm0uda

3 years

Instead of randomly doing this, you can read open source projects released by a company and verify how logging is done with log4j and to which entries. #Log4Shell . Try to get a hit by DNS lookups first,connections to external servers might be blocked, you may get env vars instead

3

10

137

Youssef Sammouda (sam0)

@samm0uda

3 years

Twitch was hacked and its source code leaked online, afaik they didn't have a bug bounty program, with the code out it's a hard decision now to either start one or potentially expect more exploitation of vulns in the future.

9

7

132

Youssef Sammouda (sam0)

@samm0uda

3 years

"Don't put all your eggs in one basket", FACEBOOK will learn about this proverb the hard way.

3

5

128

Youssef Sammouda (sam0)

@samm0uda

5 years

Got a total of 60000$ of bounties in the first half of this year. Still hope to get more in the second half.

11

3

117

Youssef Sammouda (sam0)

@samm0uda

2 years

Most likely you won't see me in Meta 2023 HoF page, not because i can't compete anymore but because i don't want to. Good luck to the others!

11

0

114

Youssef Sammouda (sam0)

@samm0uda

1 year

Here's few reasons why i'm done with bug bounty: -I report a bug which took 1 week to fix. I wait for 5 months to get paid. -The BB platform used by the program as a payment provider (not to be disclosed at the moment ) don't send the funds three times in a row. HOW TO PAY BILLS

8

1

112

Youssef Sammouda (sam0)

@samm0uda

4 years

Privilege escalation to Admin access in Partners Portal

0

28

107

Youssef Sammouda (sam0)

@samm0uda

4 years

I'm looking for an internship for the summer of 2021. I'm interested in an intern security engineer (or analyst) position. I'll appreciate any offers or recommendations!

5

12

107

Youssef Sammouda (sam0)

@samm0uda

2 years

Passing by the awesome city of Istanbul. Happy to meet with anyone who'd like to have a cup of coffee and talk infosec.

5

0

106

Youssef Sammouda (sam0)

@samm0uda

3 years

This last account takeover bug was very interesting. Simple but hard to find.

4

1

107