However, this misbehaved of /link type post have high potential lead to a new security vulnerability on future, if not now.
Currently there's already have 2 misbehaved I've noticed:
1. Bypass page to page posting restriction using API
Actually it shouldn't consider as a bug, because page admin is allow to post as page to page using https://www.facebook.com. However, it's not supposed to be done using Facebook Graph API.
Let's say you are the admin fanpage called "Iptv", so you want to post to fanpage "coca-cola".
The first step is get Page Access Token via /me/accounts API endpoint. (Put this Page Access Token inside Graph API explorer's access token field for test.)
Then you can't simply do http POST request to PAGE_ID/feed with message parameter, because you would get error message instead:
The solution is coming, if you post a 'link' type post, then you're able to bypass this restriction and post as page.
Open up coca-cola fanpage at https://www.facebook.com/cocacola, filter by Posts by Others, you can see post to coca-cola page as another page called 'Iptv' successfully:
2. Bypass fan page banned restriction to posting
This is not supposed to be happen even using https://www.facebook.com, not just API.
Fan page admin banned the user, however, the user still can using Graph API to bypass this restriction to post link and custom its photo. The main cause is because of "link=" parameter.
The real story:
1. Page A admin block user B
2. User B using curl to posting: curl -vLk -F link=http://www.google.com/ -F message=ha --form "picture=http://i.stack.imgur.com/7J2xf.png" https://graph.facebook.com/PAGE_A_ID/feed?access_token=USER_ACCESS_TOKEN
3. Success post to page A. Able to see the post when filter by "Posts by Others" at https://www.facebook.com/pages/PAGE_A_NAME/PAGE_A_ID?filter=2
*I've already report the bug #2 to Facebook at https://developers.facebook.com/bugs/285031211633194
No comments:
Post a Comment