Skip to main content

Facebook Messenger bug. React to any message on behalf of a Facebook Page

Reacting to Facebook Messages 

An Admin can interact with his Facebook Page through Facebok page's Inbox, there is no UI to react to the messages like HAHA, LOVE etc. 

Reply to the messages.
You must be knowing about the WhatsApp messenger's Reply feature where you can reply to a particular message.

There is something for Facebook messenger too.
You can reply to message by hovering over the message and there will be "Reply" option.
Click on that. 
Now type some random message and click on "Send" and intercept the request. You can find in the HTTP Request that there is a parameter "message_id" in the message body. Change to some other message_id that doesn't belong to chat that you currently opened.
Now I sent the request. There was an error that was thrown saying .. "The content is longer available". 

Now my next adventure to try to find a bug in the Messaging continues.

If you have a conversation with your girlfriend you can always react to her messages with the regular reactions will be the heart emoji .. I know it. No need to shy away.

So let's get into the bug details.

Click on your girlfriend in your chat list and select one of her messages where she said I LOVE YOU and react to that and intercept the HTTP Request. 
The HTTP Request will be like the following.

POST /webgraphql/mutation/?doc_id=1491398900900362&variables=%7B%22data%22%3A%7B%22client_mutation_id%22%3A%221%22%2C%22actor_id%22%3A%22USER_B_ID%22%2C%22action%22%3A%22ADD_REACTION%22%2C%22message_id%22%3A%22mid.%24cAA****B6Vl**vsBJqn%22%2C%22reaction%22%3A%22%E2%9D%A4%22%7D%7D HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.facebook.com/messages/t/1219904004777648
Content-Type: application/x-www-form-urlencoded
Content-Length: 597
Origin: https://www.facebook.com/
Connection: close
Cookie: *********

There is parameter in the message body, "actor_id" which will be pointing to your FB ID, Now what to do is change its value to the ID of the Page ID for which you are an additional admins.

Remember only admins can do that. Here's an annoying proof


Comments

  1. Meghan Core7 July 2020 at 04:05

    Nice article, thank you for sharing, I also wants to add new and amazing online communication platform that is TOUKU. With the use of TOUKU you can share instant messages, videos and images with your friends and family.

    ReplyDelete

Post a Comment

Popular posts from this blog

$1337 YouTube Community (Posts) bug

YouTube Community  is a feature that is only available for Channels with  1. Verified Phone numbers 2.  A significant history, more content for years. In the early June I started hunting for Security flaws on YouTube I was roaming around the features but most of the places have been found secure or already potential features had the bugs fixes in place. The Community Tab is now Posts So, I thought to exploit Youtube Community feature. I was trying to delete the Posts using IDOR attacks but it didn't work I was tired of trying various attacks but thought to compromise to the least "Privilege escalation".  The Security flaw... A user (victim) created a YT Community post, later an attacker while being an Admin of the same Channel has saved the HTTP Request that deletes a Community Post / Poll, then the attacker can replay that HTTP Request after he's demoted from Admin to Subtitle Editor  that would delete the Post / Poll. I exploited this flaw I tried after 15 ...
Post a Comment
Read more

Facebook Bug Bounty $$$$ : Crossposting Live Videos | Facebook Live

In the Facebook Page Settings, you could setup the option for Crossposting Live videos from other pages.  The Attacker's page adds a Page (Victim's Page) for crossposting their videos Victim Page's Admin accepts the approval and the default option is Crossposting videos without further approval The Attacker starts live video and selects Victim's Page in the "Crosspost to more pages" Victim visits the Crossposting page in the Page settings and and removes Attacker's Page Attacker selects "Use camera" and clicks on "Go Live". The Victim's Page starts automatically crossposting the live video of Attacker,  Bug Bounty of $500
Post a Comment
Read more

Instagram Reels bug $$$$ Bug Bounty : Making users share unintented reels

 This bug is categorised as IDOR. We all share Instagram reels with our friend via DM.  Did you every try "Copy link" and share on mediums like WhatsApp or any similar apps ?  When you do that, the generated Link would be of the below URL https://www.instagram.com/reels/<REEL_ID>?igsh=<Encrypted> The igsh in the Query params of URL is an encrypted string, that would get decrypted on the Instagram servers to the User's Profile ID.  On clicking on the link, it would open the Instagram App and plays the reel and then an interruption will be by a popup like the below screenshot  The Attack... Crafting the URL ...  If you replace the <Reel_ID> (What the user intended to share) with a <Granphically_Sensitive_Content_REEL_ID> in the link and send it to users, when ever any user opens the link. It would show graphically sensitive content and then a Popup of the victim's profile. Though they didn't intend to share it.  Report timeline...
Post a Comment
Read more