Published On: 25 Mar 2020
In Facebook pages, admins are able to place an order for users who previously contacted the page, this order will be sent to the user through the messenger if we intercept the request before placing the order and changing the "consumer_id" to any Facebook user id , the message will be sent successfully and it will reach the user messenger directly .
A malicious user is able to send "order" message to any Facebook user and the message will be sent to the user directly which is a bypassing to the "Message Request ".
Step
1
"Kassem" opened the inbox of his page , then he select any user who previously contacted the page
Step
2
in the right side he chooses "Add Activities " - > "Place order".
Step
3
once he clicked on it , he looked at the conversation with this user , a message is appeared -"You confirmed that "username" placed an order. Send Details")
Step
4
Clicking on "Send Details" then a box is appeared to fill some information about this order , so "Kassem" filled these information and then intercepting the request and placing the order.
Step
5
"Kassem" changed the parameter "consumer_id" which is the id of the user we want to send him this order to any Facebook user id ! so "Kassem" changed it to the Victim id which is "James", and he send the order
Step
6
A message is reached "James" contained the order details ! although "James" haven't seen this page or contacted it previously! and the message is reaching "James" messenger directly without passing on the "Message Request.
Step
7
This is the GraphQl Request :
in the parameter variable , change the following params
consumer_id= the victim id ( the user we want to send him an order message).
page_id= this is the attacker page id .
actor_id= attacker id.
In this bug we are able to send this orders to all Facebook users ! imaging if someone sent it to "Mark Zuckerberg" , or if someone creates fake pages and making a script to send this message to Billions of users! the message will reach all users messenger , it's like a treasure for Marketers!
Sending message in normal case is not a bug , but we should focus here into some points 1) Pages are not able to contact any user who haven't liked the page or contacted it in the past . 2) the message will reach the user directly and this is not an intended behavior [ bypassing message request] 3) it's true that the user is able to block the page and prevent it from sending, but since the message is already sent and the attacker is able to create another page and make the same scenario . If a user didn't send a message to the page in the past the page will not be able to send him any message or contact with him and this is the server reply when i was trying to send a message from the page to any other user that we have no permission to contact him