Steps for reproduction -
1. As a client of a large network, make 500 repeated requests to -
POST /login/device-based/regular/login/?login_attempt=1&next=app_callback_url
Host: www.facebook.com
lsd=xyz&api_key=app_id&cancel_url=
app_cancel_url&state=state_value&email=
victim@victim.com&encpass=LMAO
2. If the request is repeated with the target username or phone number in the place of Email address, the response will throw "Account lock" or "Feature disallowed" error.
3. If repeated with a phone number or a username which doesn't belong to the target user, the response will throw "Wrong password" error.
There are multiple rate limiting machanism in place to that endpoint so we could have tried making 5 guesses for contact point match every hour.
Timeline -
Reported - 17th April 2022
Triaged - 14th May 2022
Fixed - 9th June 2022
Rewarded - 19th July 2022