Private giant chat app – Send message to victim while sender blocked

Summary: If receiver blocked sender, still sender was able to send message.

One of giant company’s mobile chat app has functionality to send free sms and when sender send free sms then mobile assigned to that sender for text messaging and it sync to apps chat thread.
So if we send sms to that number that sms goes to chat user and this sync not authenticated blocking functionality.

Steps To Reproduce:

  • Send free sms from chat user A profile to B user, chat user B will recieve text SMS from random mobile number.
  • Now reply to that number from any sms app then A user get message in chat app from user B.
  • Now A user blocked to user B on chatApp so B user is not able to send message to user A on chatApp,
  • Now again goto sms app and send text sms to that number received from A.
  • A user was received message in chatApp from user B without checking blocking functionality.

Timeline:

  • 13/01/2019 : Reported on Hackerone in Private Program.
  • 21/01/2019 : Triaged.
  • 01/04/2019 : Fixed & Bounty rewarded.

Thanks )