To register a Facebook page, you need a mobile number to confirm your account, you can buy a virtual number for receiving SMS and receive a confirmation code online without indicating personal data.
Fizz, released by Facebook as an open source in August 2018, is the company's implementation of the TLS 1.3 cryptographic protocol. At the time Fizz was unveiled, Fizz was used to protect communications in its mobile applications, load balancers, internal services, Proxygen HTTP, and other applications. Other open source organizations and projects may also have started using it as an open source after its release.
Facebook Fizz Vulnerability.
A Semmle code analysis researcher found that Fizz is vulnerable to a DoS vulnerability that could be easily activated by an unauthenticated remote attacker. Using this drawback leads to the fact that Fizz goes into an endless cycle, as a result of which the web service becomes inaccessible. The flaw cannot be used to gain access to user data, both Facebook and Semmle have confirmed.
“The impact of this vulnerability is that an attacker could send a malicious message via TCP to any server using Fizz and run an endless loop on that server. This can make the server immune to other clients, ”explained Kevin Backhouse, a Semmla researcher who discovered the flaw.
“The message size is a little over 64 KB, so this attack is extremely cheap for an attacker, but it damages the server. To illustrate this, one computer with a normal Internet connection (download speed of 1 Mbps) can send two such messages per second. Since each message knocks out one CPU core, it will only take a small botnet to quickly weaken the entire data center, ”he added.
This vulnerability was reported to Facebook on February 20, and on the same day a patch was released for Facebook's internal systems. The patch was sent to GitHub five days later - the patch is included in version 2019.02.25.00 and later.
Although Facebook’s bug reward program usually doesn’t cover DoS vulnerabilities, the company decided to award a reward of $ 10,000 due to the fact that the problem “could have significant risk”. Semml donated an award to charity, so Facebook doubled the amount, and the code analysis firm also picked up the original award and donated it to another charity.