Facebook Spam Blocking System Bypassed

Hi all,

Here I’m going to explain about the Facebook bug which can bypass spamming protection.

Description:

https://lookaside.facebook.com is vulnerable and doesn’t having spamming protection in all endpoints including sharing something randomly. There are many operations which are blocked by Facebook; if they are misused.

After weeks of reporting they fixed the bug and provided a nice bounty by considering the impact  of this vulnerability.

Reproduction Instructions / Proof of Concept:

On of the example scenario:

1.https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.facebook.com%2Farunsureshkumar

Already I’am Temporarily blocked by the Facebook. lets verify the block.

And now i show you how i bypassed this.

2. Go to

https://lookaside.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.facebook.com%2Farunsureshkumar

Post the status, and bypassed the spamming protection.

 

POC Video:

Impact:

Spamming over the Facebook and also helps to misuse the features provided by them

Timeline:

All timestamps are in India Standard Time. I omitted a few unimportant interactions.

  • 01 April 2016 at 00:08 : Initial report
  • 02 April 2016 at 01:08 : Provided more details about the POC
  • 20 May 2016 at 13:00 : Issue fixed & Bounty of $5,000 awarded.

Screen Shot 2016-11-23 at 8.23.42 PM