Messenger Rooms Bug Bounty Write-up

Unrestricted API calls as Messenger Rooms Guest

Timeline (TL;DR)

Report Sent

By Jane Manchun Wong

Report Triaged

By Facebook

Requested for status update

By Jane Manchun Wong

Mitigated with a temporary fix

By Facebook

Vulnerability Patched

By Facebook

Bug Bounty Awarded

By Facebook

Embargo Lifted

Introduction

Messenger is developing “Video Meetup Link”, a feature that allows anyone to join a Messenger Call through an invite link even without a Facebook account.

This anonymous Messenger call joining is authenticated by creating a special kind of User named [REDACTED].

Although [REDACTED] is created for the sole purpose of joining the Messenger Call, this guest user is capable of doing more than what it is supposed to do. For example, (anonymously) creating a “Video Meetup Link” as a video meetup guest user.

The guest user is also capable of other queries, such as browsing Facebook without having a real Facebook account.

[REDACTED] should only be capable of joining the Messenger Call, nothing else. Other operations than joining the call should be unauthorized.

Repro Steps

Supposedly, the only thing a [REDACTED] can do is join the Messenger Call the guest user is created for. But here, we can create another Messenger Call using the guest user.

HTTP POST /graphql Host: graph.facebook.com doc_id=[REDACTED] variables={ … }

From the response of the above request, we can see it is possible to create another Messenger Call Invite Link without a real Facebook account. A [REDACTED] is not supposed to have that capability.

Other than creating the invite link, [REDACTED] is also capable of browsing Facebook, when it is supposed to only be able to join the Messenger Call it is created for. It does not bypass the usual privacy checks per se, but [REDACTED] is not even supposed to be able to browse any content whose privacy setting is set to “Public”. Again, the only job this user has is to join the Messenger Call.

Further Comments from Facebook

After this security vulnerability has been resolved, I reached out to Facebook for further comments. Facebook’s Security Team told me via Facebook Tech Comms Manager Alexandru Voica with the following statement:

The issue you found was in an early test of Messenger video chat links, which we’ve fixed in Messenger Rooms. To address the issue, we made the permission checks on our API more restrictive. People who join a Room call without a Facebook or Messenger account will only be able to access the video chat. They will not be able to access Facebook or Messenger without creating an account first. Rooms links can only be created by people with Facebook or Messenger accounts, and soon through WhatsApp and Instagram too. As always, we appreciate you submitting the report to our bug bounty program and helping us strengthen the security of our products!