There is a GraphQl call in Facebook Messenger application ( android ) , that's responsible to fetch the CDN URL for attachments sent via the application ( audio , video , images ) , by sending the id of the file , it was possible to retrieve this link for a deleted attachment within < 24-48 hour .
A malicious user is able to access removed attachments sent to his inbox .
User A sent a wrong image to User B then he deleted it immediately before User B seeing it .
User B opened his messenger and he wants to access this deleted file
User B start brute forcing the attachement id which is the parameted aid
The Direct link of this deleted attachement will be located inside the Response "Location Header ". and the user will be able to see the CDN link before it goes away so he has 24-48 hours for doing this action .
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=15552000; preload
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Content-Type: text/html; charset="utf-8"
Date: Wed, 08 Jan 2020 13:13:56 GMT
As we know that CDN will be go away after some times but I sent this bug because the user who receive the deleted attachment has no way to retrieve the CDN link but it's possible always to brute forcing a digit number ( attachement id ) through this endpoint to retrieve this CDN link . Some cases can't be handled from Facebook side due to how the internet works( e.g user has an extension on his browser to check the file once it's sent and saved it locally before it's deleted ) , but in the case I sent it's the Facebook responsibility and this bug can be mitigated by implementing some checks on the "aid" parameter so if the file is deleted , the server shouldn't return the CDN link .
I noticed that this bug was fixed by Facebook , so once the file is deleted the server wont return the CDN link on the Location header , and it will throw an Error ( 400 Bad Request) . Error 509: Invalid attachment id (509)