Malicious behavior suspension — which pattern?
20 views
Skip to first unread message
Klyra
5:04 PM (3 hours ago) 5:04 PM
to Chromium Extensions
Account suspended for "Malicious behavior". 2-year-old account,
8,300+ users, no prior issues. In-dashboard appeal got the generic
"will not reinstate" reply no indication of which file or policy
subsection.
The extension is a Facebook Groups bulk poster: lets a user compose
one post and publish/schedule it across groups they're already
members of. Runs inside facebook.com, uses the user's own session,
posts via FB's /api/graphql endpoint with fb_dtsg tokens scraped
from the page HTML.
Three possible triggers:
1. "debugger" + Input.dispatchMouseEvent — we use CDP for a handful
of clicks that FB's UI refuses when dispatched as synthetic
events. Reads as bot-check evasion; I get why.
2. "webRequest" — observer only, no blocking. Likely over-declared.
3. A remote endpoint (our server) returning FB's current GraphQL
doc_id, because FB rotates them. Reads as remote config even
though it's just a numeric ID.
I'll remove any of the three within 24h and resubmit. Which one is
it — or something else entirely? Even an off-the-record
"warmer/colder" would stop me from removing the wrong thing.
Happy to share manifest or source on request.
Thanks,
Liran
8,300+ users, no prior issues. In-dashboard appeal got the generic
"will not reinstate" reply no indication of which file or policy
subsection.
The extension is a Facebook Groups bulk poster: lets a user compose
one post and publish/schedule it across groups they're already
members of. Runs inside facebook.com, uses the user's own session,
posts via FB's /api/graphql endpoint with fb_dtsg tokens scraped
from the page HTML.
Three possible triggers:
1. "debugger" + Input.dispatchMouseEvent — we use CDP for a handful
of clicks that FB's UI refuses when dispatched as synthetic
events. Reads as bot-check evasion; I get why.
2. "webRequest" — observer only, no blocking. Likely over-declared.
3. A remote endpoint (our server) returning FB's current GraphQL
doc_id, because FB rotates them. Reads as remote config even
though it's just a numeric ID.
I'll remove any of the three within 24h and resubmit. Which one is
it — or something else entirely? Even an off-the-record
"warmer/colder" would stop me from removing the wrong thing.
Happy to share manifest or source on request.
Thanks,
Liran
Reply all
Reply to author
Forward
0 new messages