DoS on Facebook Android app using 65530 characters of ZERO WIDTH NO-BREAK SPACE.

Step to reproduce:

  1. copy content of https://pastebin.com/0tpucbuv
  2. Open facebook.com in Mozilla, Create a new note, give title and paste the copied content in body of note and publish the note.
  3. Visit created note on facebook’s android app, App will goes in infinity loop and user have to close app.

Proof of concept: https://youtu.be/FepNtq2MKus

Status of Vulnerability: Fixed with comment (fb consider DoS attacks in scope as long as they are persistent. (e.g. would require a user to uninstall an app or break a complete functionality)).

Thanks

Rahulkankrale