Privileged Escalation in Facebook Messenger Rooms

Jafar Abo Nada
Aug 24, 2018 · 2 min read
Image for post
Image for post

Privileged Escalation in Facebook Rooms Reject user’s request to join the Facebook Chat Rooms without having to be the admin.

Vulnerability Type:

Privilege Escalation/bypass authorization

Product Area:



After digging around in Facebook looking for possible bug’s, I came across Messenger Rooms Each room has an administrator who has all the permissions to control almost all of these permissions, for example rejecting or accepting requests to enter the room

After poking around in the HTTP Requests, I found that the endpoint for rejecting a user
requesting. wasn’t verifying that the user making the POST request was actually an admin of the chat.

So as long as you were in the chat you could send a POST Request to
(“") and set “thread_id=” On the target room and set the “user_id=” to that of the user you wanted to reject and it would go through.

Reproduction Steps:

1) attacker intercepts the request to Reject a member to a room
2) attacker changes the &thread_id to the The target room
3) attacker changes the &user_id to the The target User
4) attacker forwards the request and User is out from the room.

Videos Proof of Concept

Image for post
Image for post
reject pending join request in messenger without being a admin


18/May/2018 Report Sent

22/May/2018 Initial Response by Facebook/Bug Confirmed by Facebook

12/Jul/2018 Facebook sending it to the appropriate product team for further investigation

01/Aug/2018 Bug fixed and response by Facebook

02/Aug/2018 Confirmation of fix by me

18/Aug/2018 Bounty awarded

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store