Description:
Facebook Messenger Rooms have feature to share room link to other apps when room gets created and it was vulnerable to ephemeral ( disposable ) message, Using 3350161661730468 doc id & “sendMessage” fb api caller sends a room link to other user when we select “Messenger”, Its create an offline thread.,
If we change in “id” value to victim’s user id, “message” value to any text & change “offline_threading_id” to any random number then victim gets a message notification of message and thread popup window open at his end and shows message sent by attacker but if he refresh or goto “Show in Messenger” then message got disappeared.
Continue reading “Sending ephemeral message – disposable message to any Facebook user”