Failed Messenger E2EE bugs
Here is the list of my failed submission to Facebook (now Meta), including Not Applicable and Duplicate
Remote Crash Vulnerability via delete_chat Command in Messenger E2EE Chats (Android & iOS)
Vuln Type
Denial-of-Service (DoS)
Product Area
Messenger
Description/Impact
A vulnerability has been identified in Messenger, specifically affecting end-to-end encrypted (E2EE) chats, including both direct (one-to-one) chats and group messages. This issue impacts both Android and iOS versions of the application.
When an attacker compromises a victim's account—potentially through phishing, session hijacking, or other unauthorized access methods—they can send the delete_chat command targeting another device logged into the same account. This command, when executed in the context of an E2EE chat, triggers an unexpected error on the targeted device, causing the Messenger application to crash.
The crash occurs due to improper handling of the delete_chat request within the E2EE framework, which fails to validate or gracefully process the command across synchronized devices.
Restarting the app does not resolve the issue, rendering the application unusable on the affected device until the victim reinstalls it entirely.
Repro Steps
Mobile app version: Latest
Let say victim logged in Messenger on 2 devices: Web and Android (demo using an Android Emulator)
Attacker compromised the Web session and able to execute delete chat function any E2EE chat.
Please check the attached screen recording
1. Attacker open devtools and add breakpoint on this line:
a = b.contents;in `WASendAppDataFanoutProtocol`
2. Attacker do delete a E2EE chat and the breakpoint got hit
3. Attacker edit the value chatJid and add a negative sign (-) in start of it
4. Attacker hit continue
5. Observed that Messenger app got crashed in the Android emulator. The crash remains even after close and reopen app. The stacktrace can be seen in logcat.
URL Spoofing Vulnerability in Messenger E2EE Chat
Vuln Type
Other
Product Area
Messenger
Description/Impact
A URL spoofing vulnerability has been identified that allows an attacker to send to victim a malicious link that appears to one destination but redirects the victim to another unintended and potentially malicious URL. This issue could lead to phishing attacks, unauthorized access, or other malicious activities.
Recommended mitigation:
- I suggest that you display a warning box when user click the received message.
Repro Steps
Mobile app version: Latest version
Two users connected to chat with E2EE enabled. Let say Bob is attacker and Alice is the victim.
1. Bob open chat with Alice in Messenger web.
2. Bob open Chrome devtools, put a breakpoint to later manipulate the sended message.
Details in the attached screen recording. The breakpoint is in MAWAsMessageApplication.asMessageApplication
3. Bob type some legit URL to send, for example: https://example.com, then send it.
4. The breakpoint got hit in Devtools, Bob change the nativeURL and actionURL to a malicious URL, example: https://x.com
5. Bob hit continue in devtools to send it to Alice, observer that Alice received the message and got to malicious site when clicking the link despite its displayed title.
Nice