Kassem Bazzoun

Published On: 25 Mar 2020

Sending messages to any Facebook user [ Bypassing Message Request ]

Privacy/Authentication
Facebook | Other
---
MEDIUM VALID
Description

In Facebook pages, admins are able to place an order for users who previously contacted the page, this order will be sent to the user through the messenger if we intercept the request before placing the order and changing the "consumer_id" to any Facebook user id , the message will be sent successfully and it will reach the user messenger directly .

Show Image

Impact

A malicious user is able to send "order" message to any Facebook user and the message will be sent to the user directly which is a bypassing to the "Message Request ".




Reproduction Steps

Step
1

 "Kassem" opened the inbox of his page , then he select any user who previously contacted the page

Step
2

in the right side he chooses "Add Activities " - > "Place order".

Step
3

once he clicked on it , he looked at the conversation with this user , a message is appeared -"You confirmed that "username" placed an order. Send Details")

Step
4

Clicking on "Send Details" then a box is appeared to fill some information about this order , so "Kassem" filled these information and then intercepting the request and placing the order.

Step
5

 "Kassem" changed the parameter "consumer_id" which is the id of the user we want to send him this order to any Facebook user id ! so "Kassem" changed it to the Victim id which is "James", and he send the order

Step
6

A message is reached "James" contained the order details ! although "James" haven't seen this page or contacted it previously! and the message is reaching "James" messenger directly without passing on the "Message Request.

Step
7

This is the GraphQl Request :

in the parameter variable , change the following params

consumer_id= the victim id ( the user we want to send him an order message).
page_id= this is the attacker page id .
actor_id= attacker id.

Scenarios

In this bug we are able to send this orders to all Facebook users ! imaging if someone sent it to "Mark Zuckerberg" , or if someone creates fake pages and making a script to send this message to Billions of users! the message will reach all users messenger , it's like a treasure for Marketers!

Is sending a message is a bug?

Sending message in normal case is not a bug , but we should focus here into some points 1) Pages are not able to contact any user who haven't liked the page or contacted it in the past . 2) the message will reach the user directly and this is not an intended behavior [ bypassing message request] 3) it's true that the user is able to block the page and prevent it from sending, but since the message is already sent and the attacker is able to create another page and make the same scenario . If a user didn't send a message to the page in the past the page will not be able to send him any message or contact with him and this is the server reply when i was trying to send a message from the page to any other user that we have no permission to contact him

Timeline
.
Kassem 03 Mar 2020

Report Sent

.
Facebook 05 Mar 2020

Pre-triage Thank you for your submission. We've managed to reproduce your report and will get back to you once we have had a chance to investigate.

.
Facebook 06 Mar 2020

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 16 Mar 2020

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Kassem 16 Mar 2020

Confirmation

.
Facebook 18 Mar 2020

Bounty Awarded You identified an issue whereby a page can bypass the Message Request feature a user has enabled.

VALID






Show All Images