Sending ephemeral message – disposable message to any Facebook user

Description:

Facebook Messenger Rooms have feature to share room link to other apps when room gets created and it was vulnerable to ephemeral ( disposable ) message, Using 3350161661730468 doc id & sendMessage fb api caller sends a room link to other user when we select Messenger, Its create an offline thread.,

If we change in id value to victim’s user id, message value to any text & change offline_threading_id to any random number then victim gets a message notification of message and thread popup window open at his end and shows message sent by attacker but if he refresh or goto Show in Messenger then message got disappeared.

---

Repro steps:

Setup:

Users: userOne, userTwo, userThree

App version: Messenger 285.0.0.17.119

OS: Android 10

---

Steps

1. Goto Messenger4Android > Create Room icon > Create Room button > JOIN ROOM
2. Once Room call get started then turn on proxy to intercept request.
3. In room call Tap on SHARE LINK button > Select Messenger > tap on Send button in front of userTwo
4. Once message sent, goto captured request in Proxy which indicates X-FB-Friendly-Name: sendMessage

5. In Batch param of request body change following details:
   5.1: userTwo id to userThree id
   5.2: message param value to any text (which previously contains room link)
   5.3: offline_threading_id to any random number like 11.

6. Send this edited request, Once sent at userThree side in Web browser you can see chat notification and chat thread gets popup.
7. Now goto Messenger by selecting Show in Messenger in same chat thread, We can see there message is not visible.

Note: Same ephemeral message popup in mobile messenger app.

---

Proof of concept

---

Timeline:

• 09/10/2020: Reported
• 13/10/2020: Triaged
• 26/10/2020: Bounty
• 08/02/2021: Fixed