Featured image of post Insufficient Rate Limitting on Facebook Fundraisers
Bug Bounty

Insufficient Rate Limitting on Facebook Fundraisers

Facebook Fundraisers Lacks Rate Limiting Protection. Malicious actors can bruteforce this by sending different random credit or debit card numbers.

Summary

Facebook Fundraisers Lacks Rate Limiting Protection. Malicious actors can bruteforce this by sending different random credit or debit card numbers. This could result to large scale fraud.

The Expected Behaviour is Once You tried to Repeatedly Link or Use a Declined or Invalid Credit/Debit Card the System Should block you from doing additional Transactions in Facebook as Part of its Anti Fraud Protections.

Timeline

  • May 28, 2019 – Report Sent
  • May 31, 2019 – First Response from Facebook
  • June 12, 2019 – Triaged
  • August 13, 2019 – Fixed
  • August 23, 2019 – Bounty Issued

Response from Facebook Security Team

Facebook Response

© 2022 Ctulhu | Bug Bounty and Security Research
ctulhu.me | Christian Niel Angel
Built with Hugo
Theme Stack designed by Jimmy