السبت، 18 أغسطس 2018

Privileged Escalation in Facebook Messenger Rooms

Privileged Escalation in Facebook Rooms Reject user's request to join the Facebook Chat Rooms without having to be the admin.


Vulnerability Type:


Privilege Escalation/
bypass authorization 


Product Area:


Messenger



Description/Impact

After digging around in Facebook looking for possible bug’s, I came across Messenger Rooms Each room has an administrator who has all the permissions to control almost all of these permissions, for example rejecting or accepting requests to enter the room

After poking around in the HTTP Requests, I found that the endpoint for rejecting a user 
requesting. wasn’t verifying that the user making the POST request was actually an admin of the chat.

So as long as you were in the chat you could send a POST Request to 
("https://www.messenger.com/api/graphqlbatch/") and set "thread_id=" On the target room and set the "user_id=" to that of the user you wanted to reject and it would go through. 

Reproduction Steps:

1) attacker intercepts the request to Reject a member to a room
2) attacker changes the &thread_id to the The target room
3) attacker changes the &user_id to the The target User
4) attacker forwards the request and User is out from the room.


Videos Proof of Concept 



TimeLine:

18/May/2018  Report Sent
22/May/2018  Initial Response by Facebook/Bug Confirmed by Facebook
12/Jul/2018    Facebook sending it to the appropriate product team for further investigation
01/Aug/2018  Bug fixed and response by Facebook
02/Aug/2018  Confirmation of fix by me
18/Aug/2018   Bounty awarded

هناك تعليق واحد: