Published On: 12 May 2019
Privileged Escalation in Facebook Messenger Rooms
IDOR
Messenger | Web
---
MEDIUM VALIDPrivileged Escalation in Facebook Rooms Reject user's request to join the Facebook Chat Rooms without having to be the admin. After digging around in FB looking for possible bug’s, I came across Messenger Rooms Each room has an admin who has all the permissions to control almost all of these permissions, eg reject or accept requests to join chat room
Description
After poking around in the HTTP Requests, I found that the endpoint for rejecting a user requesting. wasn’t verifying that the user making the POST request was actually an admin of the chat. So as long as you were in the chat you could send a POST Request to ("https://www.messenger.com/api/graphqlbatch/") and set "thread_id=" On the target room and set the "user_id=" to that of the user you wanted to reject and it would go through.
Impact
this could have let non-admin messenger chat participants reject pending join requests
Reproduction Steps
Step
1
1 attacker intercepts the request to Reject a users to a room
Step
2
2 attacker changes the "thread_id=" to the The target room
Step
3
3 attacker changes the "user_id=" to the The target User
Step
4
4 attacker forwards the request and User is out from the room.
IDRO Ledas to Privileged Escalation in Facebook Rooms Reject user's
Privileged Escalation in Facebook Rooms Reject user's request to join the Facebook Chat Rooms without having to be the admin.
Videos
