Skip to main content

Facebook Mesenger Bug - Set nick name for a Facebook Page from Messenger


I've been submitting a couple of bugs that are being found by me in the User's Messengers or a  Facebook Pages's inbox, the tricky thing from the team is the bugs are not at all getting accepted just because of COVID.

One of bugs in my previous post was about the Setting emoji but it was reported as duplicated just because they were already aware or they don't want to get the user's paid and escape the payments as the U.S is already in Depression and because of leadership 😜

Let's get into the bug details..

For users it is  normal for setting nicknames for the friends who are in their chat list.
But for Facebook Pages the option doesn't appear.

There is actually no UI for setting the Names for the FB Page.
All the options that appear for the Messenger for a normal user are:
  • Setting Emoji
  • Setting Nick Name
  • Setting Theme
There are different roles for Facebook Pages : Admin, Editor, Moderator who could access the Page's Inbox.

The HTTP Request that is used for settings the nickname for a user is:

POST /messaging/save_thread_nickname/?source=thread_settings HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.facebook.com/messages/t/123123
Content-Length: 719
Origin: https://www.facebook.com/
Connection: close
Cookie:******

request_user_id=USER_B_ID&thread_or_other_fbid=USER_A_ID&participant_id=USER_A_ID&nickname=Hacker&__user=100013664491037&__a=1&__dyn=****

There are 3 parameters. Once is 
requested_user_id
thread_user_id
participant_id

The requested_user_id will be the person who is setting the nickname
thread_user_id will be the other person for whom the name is being set.

participant_id is also the same as the above.

First thought, lets change the requested_user_id to the Page name.
The response was "Content not available"
Second thought, thread_user_id to the Facebook Page. annnnd.... Yes.. I worked. I could set the nick name for a Page.
There appeared a UI in the messenger that says something shown in the image below.



Lets change the participant_id to something new like an Unpublished page, or secret group. 
But in the UI of the messenger or the Page's inbox it appeared as 
participant in the place of the Secret Group or Unpublished page.

I submitted a report saying that a nick name could be set and here's in one more annoying reply

                        

Comments

Popular posts from this blog

Facebook Bug Bounty $$$$ : Crossposting Live Videos | Facebook Live

In the Facebook Page Settings, you could setup the option for Crossposting Live videos from other pages.  The Attacker's page adds a Page (Victim's Page) for crossposting their videos Victim Page's Admin accepts the approval and the default option is Crossposting videos without further approval The Attacker starts live video and selects Victim's Page in the "Crosspost to more pages" Victim visits the Crossposting page in the Page settings and and removes Attacker's Page Attacker selects "Use camera" and clicks on "Go Live". The Victim's Page starts automatically crossposting the live video of Attacker,  Bug Bounty of $500

$1337 YouTube Community (Posts) bug

YouTube Community  is a feature that is only available for Channels with  1. Verified Phone numbers 2.  A significant history, more content for years. In the early June I started hunting for Security flaws on YouTube I was roaming around the features but most of the places have been found secure or already potential features had the bugs fixes in place. The Community Tab is now Posts So, I thought to exploit Youtube Community feature. I was trying to delete the Posts using IDOR attacks but it didn't work I was tired of trying various attacks but thought to compromise to the least "Privilege escalation".  The Security flaw... A user (victim) created a YT Community post, later an attacker while being an Admin of the same Channel has saved the HTTP Request that deletes a Community Post / Poll, then the attacker can replay that HTTP Request after he's demoted from Admin to Subtitle Editor  that would delete the Post / Poll. I exploited this flaw I tried after 15 ...

Google form setting Bypass - Making my way to the Google's Hall of Fame !

  G o o g l e ! Bug : Circumventing "Limit to 1 response" of  Google forms  ( Parameter Injection )        Discovered on: 30th, November 2016.            Research Time: 2:00 p.m to 9:30 p.m. Earn more by display ads on blog with  Lithific Ads The setting is "Limit to 1 response" which means only one response per user. Once you filled the form there will be no chance to edit the responses or again fill a new form. If you open the form to fill again, the response would be like the image below. There is no way to edit or fill another form (Hurdle 1). I created a test form and checked "Edit after submit". Once this test form is filled I can change the previous response.  I clicked on the "Edit your  response"and intercepted the request.  I changed the form id and forwarded the request. I was able to see the form that was submitted. When I edited the form and submitted, a blank form ...