Facebook exploit – Confirm website visitor identities

I found an exploit like this in Google+ back in 2013 that worked in basically the same fashion (script tag and onload&#x2F;onerror handlers) to identify users, and to tell if they were apart of certain groups. Google fixed the issue, but later wrote back:<p>&gt; The panel has determined your report did not meet the threshold for a reward or credit in our Hall of Fame. Thank you for reporting this issue and good luck with your continued bug hunting.<p>That always kind of rubbed me the wrong way. I found a similar bug in Facebook [1], though it used image size instead of the script tag. Like the OP, I was given $1000. It definitely made me feel a lot more favorable towards Facebook&#x27;s security team.<p>[1] <a href="http:&#x2F;&#x2F;patorjk.com&#x2F;blog&#x2F;2013&#x2F;03&#x2F;01&#x2F;facebook-user-identification-bug&#x2F;" rel="nofollow">http:&#x2F;&#x2F;patorjk.com&#x2F;blog&#x2F;2013&#x2F;03&#x2F;01&#x2F;facebook-user-identificat...</a>

I once (2009) found a similar bug that allowed leaking the ID and personal info of a FB user when their browser loaded a seemingly innocent &lt;img&gt; tag (so it could be embedded in a forum post, for example).<p>Sadly, it was before FB had a bug bounty program, so I didn&#x27;t receive anything after I contacted them and they fixed the issue. I wrote about it here: <a href="http:&#x2F;&#x2F;blog.quaji.com&#x2F;2009&#x2F;07&#x2F;facebook-personal-info-leak.html" rel="nofollow">http:&#x2F;&#x2F;blog.quaji.com&#x2F;2009&#x2F;07&#x2F;facebook-personal-info-leak.ht...</a>

A question worth pondering is if this is something that should continue to be fixed at the site level, or whether it&#x27;s representative of an overarching problem with the data that browsers make available around cross-origin requests. access-control-allow-origin was supposed to be the means of addressing cross-origin concerns, but in this case even its usage doesn&#x27;t prevent the issue.<p>Perhaps browsers need to expand the potential effects of access-control-allow-origin.

&gt; Because the endpoint is HTTP2 it also means you can have many of these requests in flight at once, which makes checking against large lists of IDs very quick.<p>It&#x27;s interesting that there wasn&#x27;t any rate limiting on this API, it seems like?

Is there something in here we&#x27;re missing?<p>Someone finds exploit, gets the bounty, facebook fixes and we have a timeline.<p>Sounds like the system worked... are we looking for something else here?

One nice thing about GraphQL is that there is only a few endpoints to secure instead of thousands.

Just wondering, how or what was the fix for this exploit?

Did someone get a grab of it, by any chance? Getting 502 bad gateway from Cloudflare.