Lack of Rate Limit in Facebook Developer Individual Verification ($1000 Bounty)
Individual Verification is an essential process on Facebook, allowing users to verify their identities as individuals rather than business entities. By submitting requests to the verification endpoint, users can initiate this process and provide necessary information for verification.
During my testing, I discovered a potential security flaw in the individual verification workflow. The POST request associated with the process did not implement proper rate limiting, which meant that an attacker could send multiple requests to the Facebook server from their IP address without being blocked. Recognizing the severity of this vulnerability, I promptly reported it to Facebook’s security team.
POST Request
POST /apps/async/individual_verification/send_contract/?email=<Payload> HTTP/1.1
Host: developers.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://developers.facebook.com/settings/developer/indie-verification/
Content-Type: application/x-www-form-urlencoded
Content-Length: 280
Origin: https://developers.facebook.com
Connection: close
Cookie: // User cookiesImpact
Exploiting this vulnerability would allow an attacker to send a large number of emails from a Facebook server to any email account. Although this type of vulnerability was initially deemed ineligible for bug bounty platforms, Facebook acknowledged its significance due to the involvement of the verification endpoint.
Timeline
- May 16, 2019: Report submitted
- May 23, 2019: Triage
- June 5, 2019: Fixed and patched
- June 5, 2019: Bypass sent
- July 15, 2019: Issue resolved, and $1000 bounty awarded
