Here I’m going to explain about the Facebook bug which can bypass spamming protection.
https://lookaside.facebook.com is vulnerable and doesn’t having spamming protection in all endpoints including sharing something randomly. There are many operations which are blocked by Facebook; if they are misused.
After weeks of reporting they fixed the bug and provided a nice bounty by considering the impact of this vulnerability.
Reproduction Instructions / Proof of Concept:
On of the example scenario:
Already I’am Temporarily blocked by the Facebook. lets verify the block.
And now i show you how i bypassed this.
2. Go to
Post the status, and bypassed the spamming protection.
Spamming over the Facebook and also helps to misuse the features provided by them
All timestamps are in India Standard Time. I omitted a few unimportant interactions.
- 01 April 2016 at 00:08 : Initial report
- 02 April 2016 at 01:08 : Provided more details about the POC
- 20 May 2016 at 13:00 : Issue fixed & Bounty of $5,000 awarded.