Insufficient Rate Limitting on Facebook Fundraisers

Summary

Facebook Fundraisers Lacks Rate Limiting Protection. Malicious actors can bruteforce this by sending different random credit or debit card numbers. This could result to large scale fraud.


The Expected Behaviour is Once You tried to Repeatedly Link or Use a Declined or Invalid Credit/Debit Card the System Should block you from doing additional Transactions in Facebook as Part of its Anti Fraud Protections.

Proof of Concept

https://www.youtube.com/watch?v=2WhZi_h8Nd8

Timeline

May 28, 2019 – Report Sent
May 31, 2019 – First Response from Facebook
June 12, 2019 – Triaged
August 13, 2019 – Fixed
August 23, 2019 – Bounty Issued

Response from Facebook Security Team

#SharingIsCaring

2 thoughts on “Insufficient Rate Limitting on Facebook Fundraisers

  1. Naše spoleДЌnost v brzké dobД pЕ edstaví nové katalogy produktЕЇ a náhradních dílЕЇ dveЕ í Fermator a nové, upravené ceníky odráЕѕející tyto zmД ny.
    A permitted calculator may be used on the mathematics test only.
    Bus Floor Bottles 3 35 04.
    Рљ Рљ Р” 2012-11-06.
    Tommy tells them that the Fireflies lab is in the University of Eastern Colorado.

    https://madxaharcakinve.microidea.net/

Leave a Reply

Your email address will not be published.