Session Expiration Bypass in Messenger(Duplicate)

Hello everyone,

Welcome back after a long gap. Sorry for not writing any new write-ups for a long time I haven’t been anything since a long time because of my work and study purpose. My exam will start after a few days so I thought I should publish this write-up before my exams, else it will be delay for the next few months.

We all know what is Messenger. So, let me explain little “Facebook Messenger is an American messaging app and platform developed by Facebook, Inc. Originally developed as Facebook Chat in 2008”.

Facebook keeps bring news feature time and again. During such introduction of new feature there comes a new bug. I am confused, but I think before there wasn’t any feature in which we can manage our page chats using messenger. So this bug was also introduced during the introduction of that feature.

What was I able to do?

So with that bug, I was able to send messages, delete messages, send a malicious link and all that we can do on Messenger even after the active session was expired.

How I bypass the session expiration?

When we go to Facebook “Security and Login” and logout all the logged-in devices, it shows login session expired but it wasn’t expired in messenger.

So, how was I able to send messages after this too.

For this, I used to devices one i.e. my phone and my laptop.

Reproduction Steps:

1. First, I logged into both devices.
2. I then switch my user account to page account from my phone.
3. I logged out all the active sessions of Messenger from my laptop.
4. Session expired message was shown.
5. I then turned off my mobile data or wifi.
6. I then closed all the running app and reopen the messenger.
7. I wrote a message and while sending it I turn on my wifi or mobile data.
8. Session expired message was shown but the message was sent to the user.

Note: This bug is similar to Ajay Gautam “Session Expiration Bypass in Facebook Creator App. So, you may see this too similarity in this write-up.”

Impact:

Once I logged into someone’s Facebook account then I could have used that account again even after the victim log outs all the devices or change his password.

Though it got duplicated I thought it will be helpful for others.

Now the bug is fixed.

Timeline

Reported: January 26, 2021

Asked for more info: January 27, 2021

More info was sent: January 27, 2021

Reproduced: January 27, 2021

Duplicate: January 28, 2021

Video POC: