Facebook Group Chat Bug {2013}

Rahul M
2 min readJul 21, 2015

--

Facebook Groups chat bug , this was the bug which made my name to reach few people :P .

In Facebook groups feature any member of a group can start a chat with all the group members with two condition

1)The group should have less members.

2)The person who start the chat should be a member of that group.

But I found a bug with which I can break those two conditions.

Steps :

  • Go to a group in which your not a member or a group in which chat button is not available.
  • Now right click on that group page and go to inspect elements and find data-uid this will have the group id.
  • Now go to a group in which your a member with message button available.
  • Now right click on message button and select inspect elements. And you i’ll find the below code
  • <a href=”#” ajaxify=”/ajax/choose/?type=group_members&amp;group_id=xxxxxxxxxxxxxxx” rel=”dialog” role=”button”>Message</a>
  • Now in that code replace xxxxxxxxxxxxxxx with your target group id and click message ;)
  • Now a pop out box will come and their search for members and add them to chat.

Report Story:

I reported this bug to Facebook Team and initially they thought this isn’t a valid bug. But later I created a group chat of groups in which Mark is a member. And then I have sent a message to that group members. Now the message was in their Other box but when a valid person of group replied, that message went to other user’s inbox including Mark. Mark saw the message and he left the conversation. And next day Facebook Team replied and then after two or three days after investigation they fixed the bug. Below you can find a screenshot of Mark leaving the conversation !

And the bounty was $2000 and now the bug is patched.

Original Post

--

--

Rahul M

Developer/Whitehat ~ 🍎 WWDC 2017 Scholarship Winner ~ Found security bugs in Apple, Amazon, Facebook, Google, Yahoo, UnitedAirlines & much more. www.rahulm.me