Facebook Messenger Denial Of Service

2019.09.10
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Facebook Messenger Remote Denial of Service Vulnerability Report by Social Engineering Neo. Affected Platforms: - Android ≤9 IOS ≤11 Messenger Messenger Lite Tested On: - Android 6 & 7 IOS 11 Messenger (build 228.1.0.10.116) Messenger Lite (build 65.0.1.18.236) Class: - Denial of Service. Summary: - All versions of Messenger Lite and Multiple Versions of Messenger are susceptible to a Remote Denial of Service Vulnerability. Short Description: - A user can remotely crash a user’s Messenger application by sending a message containing a single character. Long Description: - 'ATTACKER' sends a single soft hyphen to 'VICTIM' Upon opening the message, the Messenger application on 'VICTIM' device crashes when loading the single character. Proof of Concept: - #### Tested on Latest Version of Messenger Lite on Android 6 'ATTACKER' send single soft hyphen to 'VICTIM' 'VICTIM' open message sent by 'ATTACKER' #### VIDEO: - https://youtu.be/En1npDpgv_o Expected Result: - It shouldn't be possible to remotely crash the application on a remote user’s device. Observed Result: - Application remotely crashes upon loading message. Our Recommendation: Change the way soft hyphens are loaded in the application. CVSS v3 Vector: - AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:F/RL:O/RC:R/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:L/MA:H CVSS Base Score: - 8.2 Impact Subscore: - 4.2 Exploitability Subscore: - 3.9 CVSS Temporal Score: - 7.3 CVSS Environmental Score: - 7.3 Modified Impact Subscore: - 4.2 Overall CVSS Score: - 7.3 CVSS v2 Vector: - AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:OF/RC:UR/CDP:LM/TD:M/CR:ND/IR:ND/AR:ND CVSS Base Score: - 8.5 Impact Subscore: - 7.8 Exploitability Subscore: - 10.0 CVSS Temporal Score: - 6.7 CVSS Environmental Score: - 5.7 Modified Impact Subscore: - 7.8 Overall CVSS Score: - 5.7 TIMELINE: - Discovery 2017 : - Initial Report 23rd August 2019 : - Case Opened 23rd August 2019 : - Added Detail 24th August 2019 *Public Disclosure Date: - Sep 18th 2019 UTC -08:00 (25 days from initial report)* : - Added Detail 27th August 2019 : - Response 27th August 2019 : - Added Detail 27th August 2019 : - Response 29th August 2019 : - Added Detail 29th August 2019 : - Response 1st September 2019 : - Added Detail 1st September 2019 : - Case Closed 5th September 2019 *PATCH RELEASED PUBLICLY* : - Added Detail 5th September 2019 *Public Disclosure Date: - Jul 6th 2019 UTC -08:00 (24 hours from patch)* : - We thank the Facebook Security team for their quick patch.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top