Introduction
Messenger is a standalone instant messaging app by META. With features like text messaging, voice/video calls, and file sharing, it boasts over a billion users globally. Accessible on multiple devices, it has become a widely-used communication tool.
The finding
During testing of the Facebook Messenger platform, a critical security vulnerability, identified as an Insecure Direct Object Reference (IDOR) flaw, was discovered in the parameters governing attachment IDs (video, image, file, and audio message IDs). This flaw allowed an attacker to exploit the absence of restrictions on these IDs. By leveraging the IDOR bug, an unauthorized party could potentially unveil any private attachment transmitted through the Messenger infrastructure. This disclosure could be achieved by either possessing knowledge of the attachment’s fbid or employing a brute-force attack. This emphasizes the importance of robust access controls and validation mechanisms in ensuring the confidentiality and integrity of sensitive data during the testing phase of Facebook Messenger.
Reproduction Steps
The attacker initiates the exploitation process by uploading any file within the Facebook ecosystem, whether it’s the main Facebook chat, Messenger, Workplace chat, or Portal Facebook chat—these are all susceptible.
Upon uploading a file, such as an image, the attacker intercepts the request using Burp Suite. The intercepted request takes the form:
POST /messaging/send/ HTTP/1.1
Host: www.facebook.com
client=mercury&action_type=ma-type%3Auser-generated-message&ephemeral_ttl_mode=0&has_attachment=true&image_ids[0]=123456&message_id=...etc
The vulnerability lies in the image_ids[0] parameter, which the attacker manipulates. By changing the value of image_ids[0] to the victim’s image ID, the attacker resends the manipulated request to the Facebook server, thereby successfully disclosing the victim’s private image.
For other vulnerable parameters, the malicious actor can similarly disclose different types of attachments:
image_id[0] ==> file_id[0] ====> for disclosing files
image_id[0] ==> video_id[0] ====> for disclosing videos
image_id[0] ==> audio_id[0] ====> for disclosing audio messagesThese steps unveil a critical security bug, allowing unauthorized access to various types of attachments within the Facebook messenger application.
Timeline
- Sarmad: 22 Jan 2019
- Initial Report
- Meta Bug Bounty Program: 04 Feb 2019
- Report Triaged
- Meta Bug Bounty Program: 13 Feb 2019
- Bug Fixed
- Sarmad: 13 Feb 2019
- Fix Confirmed
- Meta Bug Bounty Program: 13 Feb 2019
- Bounty Awarded