Published On: 11 Jun 2019
Crashing Messenger Application, Messenger Web, and Facebook Inbox for Users
DoS
Facebook | Android
---
UNDEFINED VALIDPoking through some endpoints on Facebook's Android application (Using Facebook's newly added whitehat settings) I found an endpoint for sending Wave's to a group, the parameter lwa_type was responsible for the attachment sent. Changing this to anything would throw an error giving you the accepted parameters, one of which being "VIDEO_REQUEST".
Description
After sending through the VIDEO_REQUEST attachment everything started going haywire. The first problem that arised was that the android app was crashing when viewing the attachment. I then noticed that if you tried to view the messages in the Facebook web inbox it would get stuck in an infinite loading loop, and similarly if you opened messenger.com it would also get stuck in an infinite loop. On top of all of this there was also some edge cases where users chats were getting deleted as well.
Impact
The impact of this is that you could completely bar out a user from using any form of messaging on their account. The only exception to this is if you had an IOS device (as it didn't crash on IOS) and also figured out which chat had the attachment.
Reproduction Steps
Step
1
Open up messenger on the android device
Step
2
Click the groups/friends option, not sure what its really called its the button in the middle on my device.
Step
3
Step
4
Turn on intercept and wave to the group you want the crash to be in
Step
5
There should be a request made to graph.facebook.com and within there you should see the following paramater
lwa_type":"WAVE"
Step
6
Change WAVE to VIDEO_REQUEST and forward through the message
Videos