Privileged Escalation in Facebook Rooms Reject user’s request to join the Facebook Chat Rooms without having to be the admin.
Privilege Escalation/bypass authorization
After digging around in Facebook looking for possible bug’s, I came across Messenger Rooms Each room has an administrator who has all the permissions to control almost all of these permissions, for example rejecting or accepting requests to enter the room
After poking around in the HTTP Requests, I found that the endpoint for rejecting a user
requesting. wasn’t verifying that the user making the POST request was actually an admin of the chat.
So as long as you were in the chat you could send a POST Request to
(“https://www.messenger.com/api/graphqlbatch/") and set “thread_id=” On the target room and set the “user_id=” to that of the user you wanted to reject and it would go through.
1) attacker intercepts the request to Reject a member to a room
2) attacker changes the &thread_id to the The target room
3) attacker changes the &user_id to the The target User
4) attacker forwards the request and User is out from the room.
Videos Proof of Concept
18/May/2018 Report Sent
22/May/2018 Initial Response by Facebook/Bug Confirmed by Facebook
12/Jul/2018 Facebook sending it to the appropriate product team for further investigation
01/Aug/2018 Bug fixed and response by Facebook
02/Aug/2018 Confirmation of fix by me
18/Aug/2018 Bounty awarded