Ok, this is another vulnerability i reported in 2014 and fixed in 2015, so iam saying its 2015 vulnerability . 

An Explanation of Captchas :

Have you noticed one of those word-in-a-box prompts when trying to send a URL in a Chat or Inbox message, or when posting a URL on a friend’s Wall? These are called captchas. 

Facebook has built a number of automated systems to detect spam and potential spam and block those responsible. When Facebook system finds a URL that it know is spam, it add it to a blacklist and prevent it from being sent or posted. 

Spammers are smart, though, and they often manipulate their URLs in an attempt to get around these controls. As a result, Facebook also created a “greylist” for URLs that might be spam, but might also be legitimate. When users try to send or post these, Facebook system puts up a captcha for them to solve. Spammers typically use scripts and machines to do their dirty work, so these captchas, which can only be solved by humans, help stop them in their tracks. 

Vulnerabilty : 

when users type a spam link, captcha will pop up. and as captcha developed to mark bots from humans, bypassing it means that it is useless. 

This vulnerability is close to Cross-site scripting (XSS), i used to inject any URL/Link in away to bypass the Facebook security check level . sorry iam not showing any methods or POC . 

Timeline Report: 

- First Report : Dec 14, 2014 9:30am

- Facebook Team Reply : Dec 18, 2014 10:12pm [ ... I will ask the team and I will let you know what their decision is... ]

- Facebook Team Reply : Mar 13, 2015 12:12pm ll Vulnerability Patched - http://fb.com/889586007729452 ]


You may be interesting reading : 

My Facebook Bounties For 2013

My Facebook Bounties For 2014