Sending ephemeral message – disposable message to any Facebook user

Description:

Facebook Messenger Rooms have feature to share room link to other apps when room gets created and it was vulnerable to ephemeral ( disposable ) message, Using 3350161661730468 doc id & “sendMessage” fb api caller sends a room link to other user when we select “Messenger”, Its create an offline thread.,

If we change in “id” value to victim’s user id, “message” value to any text & change “offline_threading_id” to any random number then victim gets a message notification of message and thread popup window open at his end and shows message sent by attacker but if he refresh or goto “Show in Messenger” then message got disappeared.


Repro steps:

Setup
===
Users: userOne, userTwo, userThree

App version: Messenger 285.0.0.17.119

OS: Android 10


Steps
==
1. Goto Messenger4Android > Create Room icon > Create Room button > JOIN ROOM
2. Once Room call get started then turn on proxy to intercept request.
3. In room call Tap on “SHARE LINK” button > Select “Messenger” > tap on “Send” button in front of userTwo
4. Once message sent , goto captured request in Proxy which indicates “X-FB-Friendly-Name: sendMessage”
5. In Batch param of request body change following details:
5.1: userTwo id to userThree id
5.2: message param value to any text (which previously contains room link)
5.3: offline_threading_id to any random number like 11.

6. Send this edited request, Once sent at userThree side in Web browser you can see chat notification and chat thread gets popup.
7. Now goto Messenger by selecting “Show in Messenger” in same chat thread, We can see there message is not visible.

Note: Same ephemeral message popup in mobile messenger app.


Proof of concept
===


Timeline:

09/10/2020: Reported

13/10/2020: Triaged

26/10/2020: Bounty

08/02/2021: Fixed