Setup
===
Users: UserA,UserB,UserC,UserD
Groups: GroupOne
Threads: Thread1 (Thread id of GroupOne)

Environment:

- UserA is the attacker, chat group GroupOne with owner UserB, UserA, and UserC are current members in GroupOne.


Browser: n/a

App version: Messanger for Android 179.0.0.31.132 (Latest Version)



Steps
==
1. UserB removes UserA from GroupOne
2. UserA wants to check if UserC is inside or outside the GroupOne
3. UserA sends the request to remove a member from a GroupOne: ( to intercept this request simply try to remove any member from a group that is owned by UserA and then change the parameters 'id' and 'to' to your target ids )

POST //participants HTTP/1.1
.
.
.
.
id=t_Thread1&to=
["UserC"]&locale=en_GB&client_country_code=LB&method=DELETE&fb_api_req_friendly_name=removeMembers&fb_api_caller_class=com.facebook.messaging.service.multicache.annotations.MultiCacheThreadsQueue

where Thread1 is the thread id of groupOne and UserC is the id of UserC

4. UserA checks the response of his request it will be (500 Internal Server Error) 
5.UserB removes UserC from GroupOne
6. UserA repeats step 3 and checks the response of his request it will be (403 Forbidden) 
7. UserA added userD to the group.
8. UserA repeats step 3 (but replaces UserC id with userD id) and checks the response of his request it will be (500 Internal Server Error)

so we can conclude depending on the server  response attacker can know if the member is inside the group or not
,if the response was (500 Internal Server Error) => member is inside and if it was (403 Forbidden) => member is outside .