Max Pasqua

Published On: 13 May 2019

$1,000

Crashing Users in Facebook Messenger

Other
Facebook | Android
---
LOW VALID

Within Facebook Messenger their is a feature to tag your friends using the @ symbol. For example doing @Mark would send a notification to Mark saying someones trying to get his attention.

Description

When making the tag Facebook applies an underline to the name to make it more obvious to the viewer. To do this their is a parameter in the post request called &profile_xmd[0][length]. This parameter allowed you to put any number allowing you to tell Facebook you wanted a length of just over 4,000,000,000 which would raise the following error java.lang.IndexOutOfBoundsException: setSpan (0 ... -1) Which would in turn then cause any victim who viewed the message to crash their application.

Show Image

Impact

The impact of this vary s from each device. In some cases the user was able to restart the app and it would be fixed. Some cases they wouldn't be able to open that chat ever again without crashing. And some required a full reinstall of the app.




Reproduction Steps

Step
1

Tag the victim in your chat of choice and interecept the post request made to send the message

Step
2

Change &profile_xmd[0][length] to a very large number

Step
3

Send the message through 

Videos

Timeline
.
Max 31 Mar 2017

Submitted

.
Facebook 13 Apr 2017

Team didn't find a security risk After having a discussion with the team, we have decided that crashing the app doesn't pose any significant security risk. In other words, it is ... See More

.
Max 26 Jan 2018

Replied with a similar report that was valid

.
Facebook 01 Feb 2018

Facebook Team Accepts The Bug This should now be fixed, can you take a moment to confirm? Regarding the bounty, it looks like in this case our decision to not reward was inco ... See More

.
Facebook 01 Feb 2018

Bounty Awarded After reviewing this issue, we have decided to award you a bounty of $500. Below is an explanation of the bounty amount. Facebook fulfills its bo ... See More

.
Max 01 Feb 2018

I follow up saying the bug isnt fixed

.
Facebook 02 Mar 2018

Asked to submit a new report referencing the old one Sorry for my delayed response here. If this is still vulnerable, do the original reproduction steps still work? I ask since this report is 11 mon ... See More

.
Max 02 Mar 2018

Created new report

.
Facebook 15 Mar 2018

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 15 Apr 2019

Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Facebook 08 May 2019

Bounty Awarded After reviewing this issue, we have decided to award you a bounty of $500. Below is an explanation of the bounty amount. Facebook fulfills its bo ... See More

VALID






Show All Images