Thursday 13 June 2013

facebook series 1 - link, the underestimated timebomb

I've noticed the misbehaved /link type post quite a long time ago. Previously if i reached rate limit with /feed type post, i can use /link type post because it have higher rate limit compare with /feed. But now the rate limit of /feed type post has been increased, so seem like there's no obvious advantage of /link type post.

However, this misbehaved of /link type post have high potential lead to a new security vulnerability on future, if not now.

Currently there's already have 2 misbehaved I've noticed:

1. Bypass page to page posting restriction using API

Actually it shouldn't consider as a bug, because page admin is allow to post as page to page using However, it's not supposed to be done using Facebook Graph API.

Let's say you are the admin fanpage called "Iptv", so you want to post to fanpage "coca-cola".
The first step is get Page Access Token via /me/accounts API endpoint. (Put this Page Access Token inside Graph API explorer's access token field for test.)
Then you can't simply do http POST request to PAGE_ID/feed with message parameter, because you would get error message instead:

The solution is coming, if you post a 'link' type post, then you're able to bypass this restriction and post as page.

Open up coca-cola fanpage at, filter by Posts by Others, you can see post to coca-cola page as another page called 'Iptv' successfully:

2. Bypass fan page banned restriction to posting

This is not supposed to be happen even using, not just API. 

Fan page admin banned the user, however, the user still can using Graph API to bypass this restriction to post link and custom its photo. The main cause is because of "link=" parameter.

The real story:

1. Page A admin block user B

2. User B using curl to posting: curl -vLk -F link= -F message=ha --form "picture="

3. Success post to page A. Able to see the post when filter by "Posts by Others" at

*I've already report the bug #2 to Facebook at

No comments:

Post a Comment