A former group member in Facebook messenger still able to disclose any change in the member group list ( members added/left)
A former group member in Facebook messenger still able to disclose any change in the member group list ( members added/left) by sending a 'remove participant' request and checking the server's response.
Former Messenger group chat member can check if someone is a member of the chat.
Threads: Thread1 (Thread id of GroupOne)
- UserA is the attacker, chat group GroupOne with owner UserB, UserA, and UserC are current members in GroupOne.
App version: Messanger for Android 188.8.131.52.132 (Latest Version)
1. UserB removes UserA from GroupOne
2. UserA wants to check if UserC is inside or outside the GroupOne
3. UserA sends the request to remove a member from a GroupOne: ( to intercept this request simply try to remove any member from a group that is owned by UserA and then change the parameters 'id' and 'to' to your target ids )
POST //participants HTTP/1.1
where Thread1 is the thread id of groupOne and UserC is the id of UserC
4. UserA checks the response of his request it will be (500 Internal Server Error)
5.UserB removes UserC from GroupOne
6. UserA repeats step 3 and checks the response of his request it will be (403 Forbidden)
7. UserA added userD to the group.
8. UserA repeats step 3 (but replaces UserC id with userD id) and checks the response of his request it will be (500 Internal Server Error)
so we can conclude depending on the server response attacker can know if the member is inside the group or not
,if the response was (500 Internal Server Error) => member is inside and if it was (403 Forbidden) => member is outside .
I would like to thank my friends Saugat Pokharel, Sarmad Hassan & Kassem Bazzoun for their amazing & continuous support.