[Facebook] Disable Notification Center and Delete Notifications

 A malicious user could have exploited a missing rate limit to disable the notification bar, prevent incoming notifications, delete the old notifications (read or unread) or even hang the low end devices running FB4A. This was undetected as the notifications will not mention the attackers Profile or name.

The endpoint goes to -
POST /ads/canvas_preview/?node_id=CANVAS_ID&page_id=PAGE_ID&user_ids[0]=ADMIN_ID&is_id_encoded=false HTTP/1.1
Host: www.facebook.com
By changing the user_ids[0]=ADMIN_ID to user_ids[0]=VICTIM_ID in the request he can send the canvas preview to anyone.
Rate limit evaluation -
We saw that we can send more than 4k payloads in just less than 3 minutes.
Since there is no rate limit we saw that we were getting the same response length since the first request. So we were not silently getting blocked.
Notification messages sent to the device were individual. They were sent one at a time. This would spam the notification bar and make it un usable.
After some payloads (3k or after) the notifications would stop appearing to the victim. If the attacker was still carrying out the bruteforce attack, victim won't get any notifications. Even the genuine requests won't be popping in the notification center. Resulting in into disabling the Notification bar.
If the attacker stopped after 4k payloads, the notification center would clear out all the notifications. The old notifications will be deleted.
This worked for both web UI and FB4A.
Timeline -
Reported - Sunday, March 10, 2019
Marked Duplicate - Thursday, March 21, 2019 
This is now fixed.