Tag: facebook vulnerability

Posted on

Instagram vulnerability : Turn off all type of message requests using deeplink (Android)

Instagram Android

Instagram vulnerability description:
In the Instagram for android has messaging tool, users can change message controls to decide whether they want to receive messages from potential connections or other people from Facebook and Instagram.

Instagram’s Android app has implemented a deeplink “instagram://turn_off_message_requests” that can turn off all requests so the user won’t receive messages from anybody, and this deeplink executes headlessly so there is no UI after execution of the deeplink.

Thus, a malicious or rogue app could execute a turn-off message request deeplink without any permission, like “FB_APP_COMMUNICATION” and Attacker could have able to disabled all receiving messages of Instagram user.

Instagram vulnerability

Repro steps :

Instagram android app version: 258.1.0.26.100

1. Goto Instagram for Android > Messages > Tools > Message controls

2. Set “deliver requests to” to “message requests”

3. Close Instagram app

4. Launch “instagram://turn_off_message_requests” deeplink (without quotes)

5. Open Instagram app and goto message controls, you can see all option become “Don’t receive”.

POC:

Timeline:

29/10/2022: Report submitted.

02/11/2022: Triaged

09/11/2022: Bounty

20/12/2022: Fixed

Follow me on Twitter :
https://twitter.com/RahulKankrale

Posted on

Facebook android vulnerability: Launching internal/tighten deeplink onbehalf of user

In Facebook android, Ad creation deeplink “ads_lwi_coupon_interstitial” has the parameter “landing_page” and uri passed to this param was not being validated so any internal/tightened deeplink passed to it could be launch on “Get Started” button pressed on UI.

Vulnerable deeplink:

fb://ads_lwi_coupon_interstitial/?ad_account_id=1&page_id=&landing_page=fbinternal://rninternalsettings&entry_point=home

Mobile app version: 342.0.0.37.119

Reproduction steps:

  1. Create intent using third party app or html page with deeplink “fb://ads_lwi_coupon_interstitial/?ad_account_id=1&page_id=216662095206780&landing_page=fbinternal://rninternalsettings&entry_point=home”
  2. Launch deeplink/app
  3. Click on “Get Started”
  4. It will open internal settings.

Proof of concept:

Timeline:

31/10/2021: Reported
03/11/2021: Triaged
06/12/2021: Fixed
02/02/2022: Reward $3000 + $225 (Silver Bonus) + $300 (delay bonus)

Posted on

Facebook Messenger for android indirect thread deletion vulnerability.

Whatsapp Copy 2 e1618729194930 768x409 1

Description:

Facebook Messenger for Android reuses the Thread ID when invoked via deeplink which could have led attacker to produce indirect thread deletion vulnerability.

This can lead to some confusing behaviour on the user-side, one example being: The user has a 1:1 with the attacker. The attacker then forces the user to create a new Group Chat with the same Thread ID that is not functional. If the user deletes the chat, the original chat with the attacker also disappears.

So attacker could use this method to delete thread between victim and his friend as well as delete chats from victims messenger as victim not able to left duplicate group thread so he has only option to delete conversation.

Deeplink used : fb-messenger://groupthreadfbid/%sFor automatic redirection using webpage :

Repro steps :

Messenger App version (Android) : 274.0.0.18.120

create webpage with script (replace userID with your userID) , host it:

<script>function trigger(){document.location="fb-messenger://groupthreadfbid/100000505765955";}setTimeout(trigger, 1000);</script>

1. Send Crafted webpage link created from script to user with whom you previously interacted.

2. On victims phone click on that link, it will open blank page and redirect back to thread

3. Send message to victim or when victim close app and reopen, duplicate thread id will be created between you and victim in victims phone.

4. Now if victim sends a message then it will shows in both thread.

5. Victim goes to duplicate thread(group thread) and tab on members and tab on admin, here he can see No admin.

6. Now if he try to left that group, he will get error so victim have only one option left with him that delete duplicate thread which is group thread.

7. Once victim Deletes duplicate thread by selecting “delete conversation” and then original thread also got deleted, this deletion is permanent as from thread would not visible in web after deletion.

Timeline:

27/07/2020: Report submitted.

29/07/2020: FB managed to reproduce.

03/08/2020: Triaged

03/09/2020: Fixed

10/09/2020: Bounty

POC:

Facebook Messenger for android indirect thread deletion vulnerability.

Follow me on Twitter :

Posted on

Sending ephemeral message – disposable message to any Facebook user

Facebook

Description:

Facebook Messenger Rooms have feature to share room link to other apps when room gets created and it was vulnerable to ephemeral ( disposable ) message, Using 3350161661730468 doc id & “sendMessage” fb api caller sends a room link to other user when we select “Messenger”, Its create an offline thread.,

If we change in “id” value to victim’s user id, “message” value to any text & change “offline_threading_id” to any random number then victim gets a message notification of message and thread popup window open at his end and shows message sent by attacker but if he refresh or goto “Show in Messenger” then message got disappeared.

Continue reading “Sending ephemeral message – disposable message to any Facebook user”
Posted on

Facebook Page Admin Disclosure

Page Admin Disclosure when clicking join button in Page inbox of mobile version

Description:
Every facebook group has feature “Share this group” with option like how to share (share on your timeline, page, share in private message.
So using this feature in group while interacting as page if page share this group in private message then group link sent in page admins profile which is intended.
if interacting as page sent share group link using this feature to any page then that link goes to victims page’s inbox.
Now in web platform that shared link displayed as normal, but if we look page inbox in mobile version then we can see that there is “+” plus sign to join group.

Once victim page received link in page inbox sent by group admin and victim page opens inbox in mobile version and click on + plus sign then, group join request sent as page admin without his knowledge., because link received in page inbox.

Continue reading “Facebook Page Admin Disclosure”
Posted on

FB & Messenger for iOS : Address Bar spoofing using data uri

fbspoofusingdatauri1 e1618730173670

Summary: Facebook & Messenger for iOS was vulnerable to Address Bar spoofing which was be reproduced by navigating from target domain to attackers domain.

Attackers domain was able to set location to data:text/html,<script>…</script> using location header, so it was executed in context while keeping target domain in url bar.

Continue reading “FB & Messenger for iOS : Address Bar spoofing using data uri”