Summary: It was possible to delete facebook users draft and settings using DoS with zero width no-break space.
Step to reproduce:
- Create draft post in facebook android app as well as set setting on auto video play to never.
- copy content of https://pastebin.com/0tpucbuv
- Open facebook.com in Mozilla, Create a new note, give title and paste the copied content in body of note and publish the note.
- Visit created note on facebookâs android app, App will goes in infinity loop and user have to close app.
- And it will reset session and ask login again.
- After login user could draft and setting has deleted.
Proof of concept:
Status of Vulnerability: Fixed with comment (fb consider DoS attacks in scope as long as they are persistent. (e.g. would require a user to uninstall an app or break a complete functionality)).
Thanks )