Description:
Facebook Messenger for Android reuses the Thread ID when invoked via deeplink which could have led attacker to produce indirect thread deletion vulnerability.
This can lead to some confusing behaviour on the user-side, one example being: The user has a 1:1 with the attacker. The attacker then forces the user to create a new Group Chat with the same Thread ID that is not functional. If the user deletes the chat, the original chat with the attacker also disappears.
So attacker could use this method to delete thread between victim and his friend as well as delete chats from victims messenger as victim not able to left duplicate group thread so he has only option to delete conversation.
Deeplink used : fb-messenger://groupthreadfbid/%sFor automatic redirection using webpage :
Repro steps :
Messenger App version (Android) : 274.0.0.18.120
create webpage with script (replace userID with your userID) , host it:
<script>function trigger(){document.location="fb-messenger://groupthreadfbid/100000505765955";}setTimeout(trigger, 1000);</script>
1. Send Crafted webpage link created from script to user with whom you previously interacted.
2. On victims phone click on that link, it will open blank page and redirect back to thread
3. Send message to victim or when victim close app and reopen, duplicate thread id will be created between you and victim in victims phone.
4. Now if victim sends a message then it will shows in both thread.
5. Victim goes to duplicate thread(group thread) and tab on members and tab on admin, here he can see No admin.
6. Now if he try to left that group, he will get error so victim have only one option left with him that delete duplicate thread which is group thread.
7. Once victim Deletes duplicate thread by selecting “delete conversation” and then original thread also got deleted, this deletion is permanent as from thread would not visible in web after deletion.
Timeline:
27/07/2020: Report submitted.
29/07/2020: FB managed to reproduce.
03/08/2020: Triaged
03/09/2020: Fixed
10/09/2020: Bounty
POC:
Follow me on Twitter :