BOOK THIS SPACE FOR AD
ARTICLE ADNote: This bug went informative. So if you are not interested please skip. Though I personally consider it valid.
The bug makes it possible to again and again notify a fb user (friend) and send him page invite request even after he has “declined” the Page Like Request.
This enables a person to send Page Like invite request to a FB friend who has already declined the invite request to like the page.
User named Ruth is owner of LOL page .
User named Tom is victim who has already decline request to like her page. (Tom is friend of Ruth)
1. As Ruth, go in mbasic.facebook.com , to the particular page she owns and click on Invite friends.
2. Select Tom from the list and save the request in burp repeater.
3. As Tom in another browser, we see that invite has come to like the page, but we now decline the request.
4. Go to burp repeater and again replay /resend the request for no. 2.
5. We see that as Tom he has once again received request For Page Like by Ruth which bypasses the block set up in FB for web.
By design, FB does not allows to resend page like invite request, once the user decline the request but here we see it can be bypassed.
Reply By Facebook:
My reply:
Reply by FB:
My Take:
I don’t consider it just as an QA Bug. It is a bypass of their implementation(from the UI) which doesn’t allow a user to reinvite a person to like a page after the user has declined to like the page. So in an attack scenario, I may send hundreds of invite notifications to a victim and this will continue unless the user comes and block the page( which I consider another feature). If , they wanted to mitigate this by asking users to block the page; why was the Page Decline Feature implemented in the first place ?
The report was closed as informative and remains unfixed.