Update: Page with Multiple Admins Weird Error, Messenger Bot Hijacked
Update: The problem described below seems to be coming from Facebook multiple admin policy. We are still investigating. Chatfuel Team has been very fast and responsive.
Original: I love Chatfuel: we develop our own bots, but often use the platform to prototype ideas and even choose it to run a fun project — Catbot.
This morning, Saturday June 23 2017, we ran into a weird error:
Our bot, Sumi, built outside of Chatfuel, suddenly got processed by the platform, causing errors, crashes and a lot of confusion for our users.
How did it happen? Our theory:
If you authorize Chatfuel to access your Facebook account, it can access any page that you own, even one that has nothing to do with Chatfuel.
This is not only scary, but in our case, causes a serious problem.
Sumi is a popular Vietnamese teenager bot, with +100K users and millions of messages monthly. Saturday morning is often a time for friends and relaxation. Suddenly, our users saw a lengthy Chatfuel warning before Sumi’s own message:
Worse, the message is in English, while our entire UI is in Vietnamese!
Chatfuel’s message was complaining about a missing block in Settings. Well, of course, we have never set up Chatfuel for Sumi, since we build the bot ourselves (Hekate).
We immediately rushed to Chatfuel dashboard, maybe we accidentally switched something on?
Nope, there is no trace of Sumi in Chatfuel’s own dashboards. The only active bots are our Catbots.
But on Facebook, Page Settings/Messager Platform tells a different story:
Chatfuel has somehow become a subscribed app, without our permission!
Very sneaky and scary!
Our best guess is that, when I logged on to Chatfuel to use Catbot, it also gained access to all pages I own, including Sumi. Chatfuel then obtains Sumi’s Page token automatically, without our knowledge or authorization.
Tldr: If you manage two or more pages, and one of them uses Chatfuel, you might want to go to Page Settings/Messager Platform and delete Chatfuel from subscribed apps. Otherwise, your bot messages might accidentally get processed by Chatfuel.
I reached out to Chatfuel and will update their reply here.
