[Facebook] Missing rate limit in comments

On Facebook Developers site, a bug report had a comment section with missing rate limit. Any User with a Facebook ID can comment on it.

Rate limit evaluation -

I was able to send 30001 repeated payloads with Burp Thread set to 100 without getting blocked. The 30001th payload was sent successfully with a comment and "200 OK" status with response saying "success=True" in a minute.

This could have been done to the comment replies as well.

POC -

Visit any Public Bug Report - https://developers.facebook.com/bugs/REPORT_ID

Make a comment and catch the request with Burp Interceptor and take the request to Intruder.

Use NULL PAYLOADS as attack vector and Repeat the requests.

Timeline -

Reported - Tuesday, May 1, 2018

Triaged - Thursday, May 3, 2018

Rewarded - Thursday, June 7, 2018

Fixed - Tuesday, May 21, 2019