Two endpoints performing an Invite and a Removal to add and remove Contributers for Collections were missing rate limiting.
Every Invite would send a notification to that Friend.
Every Removal would allow to send a notification to a Friend when Invited back again.
The Invite request went to -
/graphql
doc_id=2501557149952408&variables={"input":{"client_mutation_id":"10","actor_id":"MY_USER_ID","participant_ids":["VICTIM_USER_ID"],"content_collection_id":"MY_COLLECTION_ID","role":"CONTRIBUTOR","save_mechanism":"ADD_BUTTON","save_surface":"SAVE_LIST_COLLABORATORS_ADD_VIEW"},"scale":1,"useCase":"SAVE_DEFAULT"}
The Removal request for each Invite went to -
/graphql
doc_id=3163221407084978&variables={"input":{"client_mutation_id":"11","actor_id":"MY_USER_ID","content_collection_id":"MY_COLLECTION_ID","save_mechanism":"REMOVE_FROM_SAVED_LIST_BUTTON","participant_ids":["VICTIM_USER_ID"],"save_surface":"SAVE_LIST_COLLABORATORS_VIEW"},"scale":1,"useCase":"SAVE_DEFAULT"}
When repeated these requests parallely for 30 seconds with a thread upto only 5 will delete Friends notification in every option available on the UI or any App.
If the thread is increased, users would not get a chance to block the attacker to prevent further notifications. After few seconds, notification center would be empty and can not determine who is the attacker.
If performed these requests continuesly, the notification center would not display any future notifications to the user.
Usually Facebook marks these types of reports as spam attacks. Since the impact is considered here, the report was resolved.
Timeline -
Reported - Friday, 3 January 2020 at 14:39
Closed as Invalid - Monday, 6 January 2020 at 23:40 (User can block the attacker)
Explaination sent to Facebook - Tuesday, 7 January 2020 at 03:05
Facebook asked for more info - Friday, 10 January 2020 at 00:12
POC video sent to Facebook - Friday, 10 January 2020 at 13:22
Reproduced by Facebook - Monday, 13 January 2020 at 19:40
Triaged - Friday, 17 January 2020 at 16:49
Rewarded - Wednesday, 19 February 2020 at 13:38
Asked for confirm on the fix - Tuesday, 17 March 2020 at 10:03
Still reproducible - Wednesday, 18 March 2020 at 06:37
Facebook asked for a new Video POC - Wednesday, 18 March 2020 at 10:04
Video sent - Wednesday, 18 March 2020 at 12:21
A fix pushed in - Tuesday, 31 March 2020 at 09:57
Confirming the fix - Wednesday, 1 April 2020 at 06:21