SERVICENGER

February 10, 2021May 17, 2022

Sending ephemeral message – disposable message to any Facebook user

Description:

Facebook Messenger Rooms have feature to share room link to other apps when room gets created and it was vulnerable to ephemeral ( disposable ) message, Using 3350161661730468 doc id & “sendMessage” fb api caller sends a room link to other user when we select “Messenger”, Its create an offline thread.,

If we change in “id” value to victim’s user id, “message” value to any text & change “offline_threading_id” to any random number then victim gets a message notification of message and thread popup window open at his end and shows message sent by attacker but if he refresh or goto “Show in Messenger” then message got disappeared.

January 8, 2021April 16, 2021

Facebook: Linkshim protection bypass using fb://webview

Using fb://webview deep link it is possible to bypass linkshim protection and user redirected to evilzon site without notice.

November 10, 2020April 18, 2021

Facebook iOS address bar spoofing

There is an inconsistency in the way Facebook iOS Inbox which uses WebView component renders some web page redirections in a way that allows an attacker to perform address bar spoofing, resulting in an HTTPS URL being displayed with the content from some other web site., To demonstrate I have created javascript that automatically clicks on link for performing redirection to invalid port to make delay in response so browser is displaying content from attackers site without updating back to initiator page from non responsive.
Affected version:
App version: Facebook for iOS 291.0

October 21, 2020April 16, 2021

Facebook Page Admin Disclosure

Page Admin Disclosure when clicking join button in Page inbox of mobile version

Description:
Every facebook group has feature “Share this group” with option like how to share (share on your timeline, page, share in private message.
So using this feature in group while interacting as page if page share this group in private message then group link sent in page admins profile which is intended.
if interacting as page sent share group link using this feature to any page then that link goes to victims page’s inbox.
Now in web platform that shared link displayed as normal, but if we look page inbox in mobile version then we can see that there is “+” plus sign to join group.

Once victim page received link in page inbox sent by group admin and victim page opens inbox in mobile version and click on + plus sign then, group join request sent as page admin without his knowledge., because link received in page inbox.

October 21, 2020April 16, 2021

Perform substring search for emails even if Workplace admin hides email profile field.

Description:
Attack can perform substring search for emails even if Workplace admin hides email profile field.

As admin From the Admin Panel, goto Settings >> Profile fields >> on Email field Turn visibility off.

October 7, 2020September 8, 2021

Bypass Samsung Knox protection to read files stored in a secure folder | Android

Description: Samsung Knox is a defensive mobile security platform that is built into Samsung devices and enhances security in all directions through a combination of physical means and software systems, providing security protection from the hardware to the application layer.

I used the path and file structure to bypass Samsung Knox protection in an unauthorized manner to read the stored files in the secure folder, and received a Samsung $3750 reward.

Severity: High | SVE-2020-18025

May 29, 2020July 1, 2021

Mitron App Account Takeover vulnerability

Summary : Mitron app which recently brought attention because of in less time 5 Million downloads and competitors to TikTok,
But this app is designed with no security at all, lets come to the proof of concept

May 28, 2020April 18, 2021

Xiaomi Android : Harvest private/system files (Updated POC)

Yet another android vulnerability which I found on Xiaomi: giant mobile manufacturer company.

Summary: There inbuilt SMS is an application pre-installed on those devices. The application is built with feature which sync in to cloud using webview through application’s sandbox.
This application can also be launched from the browser and have its WebView directed to load an arbitrary URL and allow access to local file system, read local resources and access network resources.

May 18, 2020April 18, 2021

FB & Messenger for iOS : Address Bar spoofing using data uri

Summary: Facebook & Messenger for iOS was vulnerable to Address Bar spoofing which was be reproduced by navigating from target domain to attackers domain.

Attackers domain was able to set location to data:text/html,<script>…</script> using location header, so it was executed in context while keeping target domain in url bar.

May 15, 2020April 16, 2021

Facebook group document deletion bug using only_author_may_edit parameter

In FB group there is an option for document edit with collaboration and group member can delete document while collaboration enabled or author of current edit(if member edited previously),