Privileged Escalation in Facebook Messenger Rooms

Privileged Escalation in Facebook Rooms Reject user’s request to join the Facebook Chat Rooms without having to be the admin.

Vulnerability Type:

Privilege Escalation/bypass authorization

Product Area:

Messenger

Description/Impact

After digging around in Facebook looking for possible bug’s, I came across Messenger Rooms Each room has an administrator who has all the permissions to control almost all of these permissions, for example rejecting or accepting requests to enter the room

After poking around in the HTTP Requests, I found that the endpoint for rejecting a user 
requesting. wasn’t verifying that the user making the POST request was actually an admin of the chat.

So as long as you were in the chat you could send a POST Request to 
(“https://www.messenger.com/api/graphqlbatch/") and set “thread_id=” On the target room and set the “user_id=” to that of the user you wanted to reject and it would go through.

Reproduction Steps:

1) attacker intercepts the request to Reject a member to a room
2) attacker changes the &thread_id to the The target room
3) attacker changes the &user_id to the The target User
4) attacker forwards the request and User is out from the room.

Videos Proof of Concept

reject pending join request in messenger without being a admin

TimeLine:

18/May/2018 Report Sent

22/May/2018 Initial Response by Facebook/Bug Confirmed by Facebook

12/Jul/2018 Facebook sending it to the appropriate product team for further investigation

01/Aug/2018 Bug fixed and response by Facebook

02/Aug/2018 Confirmation of fix by me

18/Aug/2018 Bounty awarded