Published On: 05 Jul 2020
Accessing Removed Attachment in Facebook Messenger
Privacy/Authentication
Messenger | Other
---
UNDEFINED INFORMATIVEDescription
There is a GraphQl call in Facebook Messenger application ( android ) , that's responsible to fetch the CDN URL for attachments sent via the application ( audio , video , images ) , by sending the id of the file , it was possible to retrieve this link for a deleted attachment within < 24-48 hour .
Impact
A malicious user is able to access removed attachments sent to his inbox .
Reproduction Steps
Step
1
User A sent a wrong image to User B then he deleted it immediately before User B seeing it .
Step
2
User B opened his messenger and he wants to access this deleted file
Step
3
User B start brute forcing the attachement id which is the parameted aid
GET
/method/messaging.getAttachment?access_token=EAADo1TDZCs.........o4lRwqrfAZD&mid=m-XN2Vy0XGTTNHtI&aid=557707478236527&format=binary HTTP/1.1
X-ZERO-EH: d74d3a21bff49a7491baf87adea0d45d
Step
4
The Direct link of this deleted attachement will be located inside the Response "Location Header ". and the user will be able to see the CDN link before it goes away so he has 24-48 hours for doing this action .
HTTP/1.1 302 Found
facebook-api-version: v1.0
Strict-Transport-Security: max-age=15552000; preload
Pragma: no-cache
x-fb-rev: 1001584889
Access-Control-Allow-Origin: *
Cache-Control: private, no-cache, no-store, must-revalidate
Location: https://scontent.xx.fbcdn.net/v/wl/t1.15752-9/fr/cp0/e15/q65/60433625_46908339sdsdsdstestttttttttt6_n.jpg?_nc_cat=109&_nsdsdsdsdsm&_nc_cid=0&_nc_zor=9&_nc_ht=scontent.xx&_nc_tp=12&oh=6244490ac616aab8cf147b52efcf78fe&oe=5EA5A635
x-fb-trace-id: CtO/imxWAOZ
x-fb-request-id: ALaOZmfAQZWFm3Mq6fDyKIe
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Content-Type: text/html; charset="utf-8"
X-FB-Debug: kqTxp00l0Lh8bZ9usadasdsGwrme+TNrBLG6ofknnZLsEh87C3UgnRukYBmwH+w==
Date: Wed, 08 Jan 2020 13:13:56 GMT
Connection: close
Content-Length: 0
Why I sent this as a bug?
As we know that CDN will be go away after some times but I sent this bug because the user who receive the deleted attachment has no way to retrieve the CDN link but it's possible always to brute forcing a digit number ( attachement id ) through this endpoint to retrieve this CDN link . Some cases can't be handled from Facebook side due to how the internet works( e.g user has an extension on his browser to check the file once it's sent and saved it locally before it's deleted ) , but in the case I sent it's the Facebook responsibility and this bug can be mitigated by implementing some checks on the "aid" parameter so if the file is deleted , the server shouldn't return the CDN link .
Fixing
I noticed that this bug was fixed by Facebook , so once the file is deleted the server wont return the CDN link on the Location header , and it will throw an Error ( 400 Bad Request) . Error 509: Invalid attachment id (509)
