Kassem Bazzoun

Published On: 21 May 2020

DoS Facebook Messenger Web(prevent chat from loading)

DoS
Messenger | Web
---
UNDEFINED VALID
Description

In Facebook pages, admins are able to place an order for users who previously contacted the page, this order will be sent to the user through the messenger , if we intercept the request before placing the order and changing the "product_image_url" to a crafted URL the Facebook Messenger on the victim side will fail to load chat and the page will stay showing the load button while its completely down in mobile version(e.g m.facebook.com ) , However user is able to use messenger on the app.

Impact

A malicious user is able to DoS other users Messenger by prevent them from loading the messages .




Reproduction Steps

Step
1

"Kassem" opened the inbox of his page , then he select any user that is previously contacted the page (Victim who contacted the page)

Step
2

in the right side he chooses "Add Activities " - > "Place order".

Step
3

once he clicked on it , he looked at the conversation with this user , a message is appeared -"You confirmed that "username" placed an order. Send Details")

Step
4

 Clicking on "Send Details" then a box is appeared to fill some information about this order , so "Kassem" filled these information and then intercepting the request and placing the order.

Show Image

Step
5

"Kassem" changed the parameter "product_image_url" to a crafted URL

The crafted URL is is

https://scontent.fbey14-1.fna.fbcdn.net/v/t45.5328-0/c0.0.120.120a/p120x120/95350157_3378619175500882_8353993733280104448_n.jpg?_nc_cat=111&_nc_sid=c48759&_nc_ohc=BAbWYFEjXlQAX8kDMld&_nc_ht=https%3A%2F%2Fkassem.com&oh=7f76f8640eda580ccf82fbad50dc852b&oe=5ED12B9Cwww.kassem.com

 

While I'm testing I added a website after the last parameter (oe= ), I was trying to see if is there is any excution for any link (e.g  ip disclosure) but  I was suprised that the messenger is not able to load the chat  and in m.facebook.com is completaly down.
so adding a websites to the end of the url from (scontent.fbey) will result to fail loading messages on Facebook Messenger.

 

This is the error returned while fetching the chats 

Errors while executing operation \"MessengerThreads\": At Query.message_thread:MessageThread.messages:MessagesOfThreadConnection.nodes[1]:UserMessage.extensible_attachment:ExtensibleMessageAttachment.story_attachment:StoryAttachment.media: Field implementation threw an exception. Check your server logs for more information.
 
 

Show Image

Step
6

and if you browse your inbox through m.facebook it will show an error 

"Sorry, something went wrong "

Show Image

Thanks

I would like to thanks my friend Abdallah Yaala who helps me while testing this bug .

Videos

Timeline
.
Kassem 01 May 2020

Report Sent

.
Facebook 04 May 2020

Pre-Triage Thank you for your submission. We've managed to reproduce your report and will get back to you once we have had a chance to investigate.

.
Facebook 05 May 2020

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 16 May 2020

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Kassem 16 May 2020

Confirmation

.
Facebook 21 May 2020

Reward After reviewing this issue, we have decided to award you a bounty of $***. Below is an explanation of the bounty amount. Facebook fulfills its bo ... See More

VALID






Show All Images