Kassem Bazzoun

Published On: 27 May 2019

Bypassing "shared contents" blocking page limit on Facebook page

Other
Facebook | Web
---
LOW VALID
Description

Facebook has a system that block any page from posting photos, videos, or shared contents ,when the page violate the law , this type of block allowed the admin to post only a text and prevent him from sharing contents or images videos . An admin can bypass the sharing contents blocking limits by adding the parameter ( composer_unpublished_photo[0] = ) to the request and adding any Image ID that previously shared on the page .

Show Image

Impact

This vulnerability showed a way for a page to circumvent limitations on its ability to post media by attaching an existing media link.




Reproduction Steps

Step
1

Block Information 
======
1. This block is for 7 days . 

2. Attached is the the message received from Facebook to the admin when they block the page , and also the message occurred on the page . 

3. This block limits sharing any image while allowed to post any text without any attachment . 

Setup

======

1 . First the page is blocked ( this block is automatically by Facebook when the page violate the law ) 

2. You are the admin of the page 

Show Image

Step
2

Post anything ( you can only post a text without any attachments , so type "test" and post it for example ) . 

Show Image

Step
3

Edit The post 

Show Image

Step
4

 Intercept the request then type on " saving " button . 

Step
5

Add the following parameter to the request 

composer_unpublished_photo[0] = IMAGE_ID  


This parameter is responsible for adding image to the post , so you can bind this parameter 
any IMAGE_ID that previously shared on your page ( shared contents ) . 

Show Image

Step
6

Image successfully added to the post , and then we bypassed the limit of shared content and sharing images . 

Show Image

Patching

An admin should not use any previously image shared on the page while this block took place 1. I suggest to prevent the attacker from adding the " composer_published_photo[0] " parameter , while the page is blocked . 2. I suggest to prevent to bind the " composer_published_photo[0] " parameter with any image ID that previously used on Facebook , so the server should return an error , ---- > " Image already used " .

Videos

Timeline
.
Kassem 27 Feb 2019

Initial Report

.
Facebook 04 Mar 2019

pre-triage Thank you for your submission. We've managed to reproduce your report and will get back to you once we have had a chance to investigate.

.
Facebook 05 Mar 2019

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 15 Apr 2019

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Facebook 17 Apr 2019

Bounty Awarded This vulnerability showed a way for a page to circumvent limitations on its ability to post media by attaching an existing media link.

VALID






Show All Images