Multiple XSS Vulnerabilities in Meta Conversion API Gateway Enable Zero-Click Account Takeover

The post details the discovery of multiple XSS (Cross-Site Scripting) vulnerabilities in the Meta Conversion API Gateway, which allowed for zero-click account takeover—meaning no user interaction was required. These flaws exploited insecure parameters in the API to execute malicious code. The author outlines the technical steps leading to exploitation, including payload injection via HTTP requests. The issue was reported to Meta and has since been patched.