Have you heard of Facebook Zero? This phrase refers to the expectation that organic reach on Facebook for pages will drop khổng lồ 0%. You’ve probably heard people running around lượt thích they’ve got snakes in their hair, screaming about the over of Facebook’s value khổng lồ businesses. As with each & every algorithm change that’s come before, things aren’t quite as bad as the predictions.
Bạn đang xem: Just a moment
On January 11, 2018 there was a release from FBthat outlined the changes your page will see và I’m going lớn take the opportunity to break it down for you so that you can understand more clearly what it means & how you can adapt.
Facebook is prioritizing posts from Family & Friends
Simply put, your Page content will be seen by less people. Users will see more from Friends và less from Pages. But that’s really the way it’s always been. People use Facebook to lớn maintain relationships with people, not be sold to.
Increased emphasis on conversation
In this instance, posts that encourage conversation and comments will fare well. If you regularly post content that no one interacts with or only garners Likes, you’ll definitely feel this one. Every time there’s a change in the algorithm, I get complaints from business owners và marketers that it’s unfair. Remember how you feel as a consumer of FB và how much you just LOVE boring content. I suspect the word “fairness” is really a disguise for unwillingness to lớn amend lazy posting behavior.
If your Page puts out chất lượng content, that’s valuable lớn your audience, you won’t experience a big change due khổng lồ Facebook Zero. I too get lazy và “phone in” posts, I’m human, but I know that I could’ve done better. Facebook is no longer letting us slide with garbage posts. There simply isn’t the space in the News Feed for fluff. So, it’s time to lớn bring your “A” game or suffer the consequences.
No More Engagement Bait
We’ve all seen these posts. “Give us a Like!” “TAG your friends” “Click lượt thích if you agree”. If you’re manipulating people into engaging with your posts, Facebook is onto you (and so is everyone else.) This will no longer fly and your posts will be demoted. FB learned how much the users dislike & distrust this type of nội dung so they’re punishing content creators that use this crutch. Learn more about engagement bait, what it is, & what khổng lồ avoid.
Why did they vị this?
Let me express this in another way. If you have a DVR or Tivo, you don’t watch the commercials, vị you? No, no you don’t. That’s because no one likes to lớn be sold to, marketed to, or overtly pitched. Most businesses in the Feed act desperately and the users are over it. It boils down to posting chất lượng content.
Learn How Ranking Works
Who posted a story
Frequency of posts from that person / publisherPrevious negative feedback on an author
Engagement
Average time spent on contentOverall engagement a post already has
When the story was posted
Friend tagsA recent phản hồi from a friend
Story type
Completeness of page profilePosted from a friend or page
How informative the post is
How You Can Adapt Your nội dung to Avoid Facebook Zero
Proofread your copyDouble kiểm tra your links
Create nội dung likely to lớn elicit positive feedback
Publish nội dung that promotes engagement và an investment of time
Post nội dung that’s social & shareable
Build your audience and following that are relevant to your overarching goals
Like many other algorithm changes that have come before, with good posting habits you will survive.
Hello, This is Samip Aryal from Nepal writing about my highest-paid report. This writeup basically describes rate-limiting issue in a specific endpoint of Facebook’s password reset flow that could’ve allowed the takeover of any Facebook account by bruteforcing a particular type of nonce.
Background
So basically, I wasn’t searching for any chất lượng bugs for several months. It started when one day; during my Engineering board exam, I was like… Let’s tìm kiếm for trương mục Takeover; like literally! out of the blue; still not sure where it came from lol. Now, I needed a fresh untouched/hidden/unnoticed endpoint to look for. And when it’s about an “untouched endpoint”; i thought looking on the web is like nah.. Everybody looks on the web. So I started my apk Studio setup, jumped into Facebook’s main login page, và tried looking for one, uninstallation-installation of several versions of Facebook took place but nothing seemed new/interesting. Then I was lượt thích what if we try with different user-agents to lớn see the server’s UI responses on each of the login pages?
Or you can use extensions.and somewhere this poped-up in the password reset flow:
The vulnerable endpointwait what! I’ve seen this option during the reset flow in one of my other accounts (in my mặc định settings). But anyway, this shortly looked interesting for me to lớn quickly jump to lớn testing it. There were three reasons:
Xem thêm: Khắc phục lỗi văng ứng dụng fb, nguyên nhân và
This resulted me in eyeing a brute-force attack.
Technical Details
Choosing any Facebook user account, go to its password reset flow.
2. Simply, Choose the following from the reset options:
This sends a POST request to:
POST /ajax/recover/initiate/ HTTP/1.1
with the parameter; recover_method=send_push_to_session_login
3. Send with a dummy 6-digit code ‘000000’.
This creates a POST request to lớn the vulnerable endpoint:
POST /recover/code/rm=send_push_to_session_login&spc=0&fl=default_recover&wsr=0 HTTP/1.1
4. The “n” parameter holds the nonce.
5. Bruteforce this 6-digit value from 000000 to lớn 999999. This can be done in multiple ways. Using web proxies lượt thích Burp Suite,
a) Send the above request lớn the Intruder and insert $$ placeholder in the ’n’ in order to bruteforce the nonce code and, make 10 sets/tabs of concurrent payload requests each with 10,000 possibilities (000000 to lớn 111111, 111111 to 222222, và so on).
b) Or, automatically through the Burp’s resource pool, maximum concurrent requests can be mix between 10–15, which should be sufficient khổng lồ go through the entire tìm kiếm space in about 1 hrs.
6. Yes, there was no rate limiting on this endpoint, thus the matching code was responded back with a 302 status code. Use this code khổng lồ log in/reset the FB trương mục password for the user account.
7. Also, In my case, the option ‘Send code via Facebook notification’ got hidden from UI at my end, which might be due to some sort of protection but it could be easily bypassed by changing the IP address.
Sample POC
This a 0-click account Takeover right?
Well, turns out that;→ For some mix of users, the nonce code would be rendered on the notification itself.
This is the zero-click case→ For the other set, the notification that is sent with the nonce would need khổng lồ be opened & the code would be rendered on a separate screen.
This is the one-click case
Here, in this second case, according to lớn Facebook — One tap of the victim is needed for the nonce lớn generate.
* Facebook replied that “While this did require user interaction, we consider clicking a notification lớn be a much lower bar than clicking a links sent khổng lồ you by an attacker, therefore we decided to lớn deduct from the 0-click ATO, rather than basing the bounty off the 1-click ATO”.
This vulnerability had a huge impact since it enabled the full takeover of Facebook accounts. It also helped me to lớn rank 1 in Facebook’s Hall of Fame 2024 (currently)
facebook.com/whitehat/thanks
Timeline:
Jan 30, 2024 — Report SentFeb 1, 2024— Pre-Triaged
Feb 1, 2024 — Clarification Requested by Facebook | Unreproducible
Feb 2, 2024 — Clarification sent that the issue seems fixed today
Feb 9, 2024 — Got an Invitation for Bounty
Con2024 (South Africa) in the same thư điện tử thread of the issue; got confused. Feb 22, 2024 — Rewarded with a clarification message that it was fixed after somebody else’s report that came after mine but I was the first lớn report (after investigation)
…
Thank you for reading this write-up, If you have any queries/suggestions, I’m available on Facebook/ Instagram/Twitter (X).
