Majd Dhainy

Published On: 26 Apr 2021

Former Messenger group chat member can check if someone is a member of the chat.

Privacy/Authentication
Messenger | Android
---
MEDIUM VALID

A former group member in Facebook messenger still able to disclose any change in the member group list ( members added/left)

Description

A former group member in Facebook messenger still able to disclose any change in the member group list ( members added/left) by sending a 'remove participant' request and checking the server's response.

Impact

Former Messenger group chat member can check if someone is a member of the chat.




Reproduction Steps

Step
1

Setup
===
Users: UserA,UserB,UserC,UserD
Groups: GroupOne
Threads: Thread1 (Thread id of GroupOne)

Environment:

- UserA is the attacker, chat group GroupOne with owner UserB, UserA, and UserC are current members in GroupOne.


Browser: n/a

App version: Messanger for Android 179.0.0.31.132 (Latest Version)



Steps
==
1. UserB removes UserA from GroupOne
2. UserA wants to check if UserC is inside or outside the GroupOne
3. UserA sends the request to remove a member from a GroupOne: ( to intercept this request simply try to remove any member from a group that is owned by UserA and then change the parameters 'id' and 'to' to your target ids )

POST //participants HTTP/1.1
.
.
.
.
id=t_Thread1&to=
["UserC"]&locale=en_GB&client_country_code=LB&method=DELETE&fb_api_req_friendly_name=removeMembers&fb_api_caller_class=com.facebook.messaging.service.multicache.annotations.MultiCacheThreadsQueue

where Thread1 is the thread id of groupOne and UserC is the id of UserC

4. UserA checks the response of his request it will be (500 Internal Server Error) 
5.UserB removes UserC from GroupOne
6. UserA repeats step 3 and checks the response of his request it will be (403 Forbidden) 
7. UserA added userD to the group.
8. UserA repeats step 3 (but replaces UserC id with userD id) and checks the response of his request it will be (500 Internal Server Error)

so we can conclude depending on the server  response attacker can know if the member is inside the group or not
,if the response was (500 Internal Server Error) => member is inside and if it was (403 Forbidden) => member is outside .

Thanks

I would like to thank my friends Saugat Pokharel, Sarmad Hassan & Kassem Bazzoun for their amazing & continuous support.


Videos

Timeline
.
Majd 20 Mar 2021

Initial Report

.
Facebook 24 Mar 2021

Report Triaged

.
Facebook 24 Apr 2021

Report Fixed

.
Majd 24 Apr 2021

Fix Confirmed

.
Facebook 26 Apr 2021

Bounty awarded

VALID