How I Found The Facebook Messenger Leaking Access Token Of Million Users

Hi everyone,

This blog tells the story of how I discovered that the Facebook Messenger iOS app was leaking access tokens of millions of users to a third-party site, a GIF search engine

I was checking out an iOS app and trying to see if I could find any issues with it. After a while, I didn’t find anything interesting, so I closed the app and went back to using my phone as usual

Then, I got a message from a friend on Messenger, so I opened it up to reply with a GIF. While doing this, I remembered I had this tool called Burp running, which helps me see the data that apps send. When I checked the data, I noticed that every time I searched for a GIF, something called an “access token” was being sent along with the request

What is Access Token?
An access token is some kind of a temporary token or a key which is used to perform certain actions on behalf of the user

What we can do with that?
Using token we can access the user’s account without password

Immediately I have reported the issue to Facebook. They took a day to look into it, then sent it over to their Product Team. Surprisingly, within just 5 hours, they rolled out an update to fix the issue temporarily

POC Video:

Timeline:
26-Sep-2020: Report Sent
28-Sep-2020: Further investigation by Facebook
28-Sep-2020: Temporary Fix
06-Oct-2020: Fixed
10-Nov-2020: Rewarded 15k$

Conclusion:
Facebook has confirmed that there is no evidence of abuse and has invalidated all relevant access tokens

Thanks to Priya Sarvesan (my college mate who texted me) and Facebook Security Team.