FACEBOOK VULNERABILITY JUNE/ 2014 - Bypass Blocking System
Spamming/ flooding Facebook users [friends, friends of friends]
note: i will use the name attacker for the user who make tags for others to make this article more clear.
As we all know that facebook block/ban system designed to protect facebook users at the first place, bypassing or avoid blocking to the limit may cause a lot of problems between millions of users , none of us want to be flooded or spammed as we all hate the mass notifications , we all read what we are interesting in , we like and share some posts and report others if necessary.
latest days i was making a research about how much facebook block system is efficient ?!
i found that facebook block system is efficient, and highly programmed to avoid mass actions, keep liking or commenting frequently will cause an auto ban for your account.
however, if you are the owner (actions on your account) , block system will not work , for example you can like all your wall posts , or leave comments as much as you want .
but i figured that i can bypass the block to the limit, for exaple if facebook blocked you from leaving comments after 100 comments you made in less than 5 minutes , i can bypass that to make it 300 comments before being blocked .
post as pages
in my research i found that if an attacker tagged a user in his page post or comment , the user will get a notification based on the page name.
in this case, users cant know who tagged them, the attacker will stay anonymous .
searching facebook.com/help about page tagging did not lead me to any solution for avoiding anonymous tags .
here i say anonymous tags because attacker can tag your name in pages that you are not a fan, pages that you did not like, even the attacker may not be one of your friends.
after knowing facebook rules in tagging, i took the idea and convert it into chrome extension, we can use this extension to flood or spam users in our pages .
facebook block system will take effect after period for the used page, unfortunately the attacker can use different pages every time.
the main problem here is :
Users can not stop the flood which is against their rights.
There is no option for users to prevent the tags, block the page, or stop the notifications.
Flooder attacker is anonymous.
This video explain the flood process on friends and friends of friends, not that both 3 accounts belongs to me .
However, Facebook acknowledged it as a bug and they patched it.