Facebook Messenger bug. React to any message on behalf of a Facebook Page

on
Reacting to Facebook Messages 

An Admin can interact with his Facebook Page through Facebok page's Inbox, there is no UI to react to the messages like HAHA, LOVE etc. 

Reply to the messages.
You must be knowing about the WhatsApp messenger's Reply feature where you can reply to a particular message.

There is something for Facebook messenger too.
You can reply to message by hovering over the message and there will be "Reply" option.
Click on that. 
Now type some random message and click on "Send" and intercept the request. You can find in the HTTP Request that there is a parameter "message_id" in the message body. Change to some other message_id that doesn't belong to chat that you currently opened.
Now I sent the request. There was an error that was thrown saying .. "The content is longer available". 

Now my next adventure to try to find a bug in the Messaging continues.

If you have a conversation with your girlfriend you can always react to her messages with the regular reactions will be the heart emoji .. I know it. No need to shy away.

So let's get into the bug details.

Click on your girlfriend in your chat list and select one of her messages where she said I LOVE YOU and react to that and intercept the HTTP Request. 
The HTTP Request will be like the following.

POST /webgraphql/mutation/?doc_id=1491398900900362&variables=%7B%22data%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22USER_B_ID%22%2C%22action%22%3A%22ADD_REACTION%22%2C%22message_id%22%3A%22mid.%24cAA****B6Vl**vsBJqn%22%2C%22reaction%22%3A%22%E2%9D%A4%22%7D%7D HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.facebook.com/messages/t/1219904004777648
Content-Type: application/x-www-form-urlencoded
Content-Length: 597
Origin: https://www.facebook.com/
Connection: close
Cookie: *********

There is parameter in the message body, "actor_id" which will be pointing to your FB ID, Now what to do is change its value to the ID of the Page ID for which you are an additional admins.

Remember only admins can do that. Here's an annoying proof


Comments

  1. Meghan Core7 July 2020 at 04:05

    Nice article, thank you for sharing, I also wants to add new and amazing online communication platform that is TOUKU. With the use of TOUKU you can share instant messages, videos and images with your friends and family.

    ReplyDelete

Post a Comment