Messenger leaking victim’s video though victim gets popup/whole screen UI saying his video isn’t being shared.
After finding a few technical bugs on fb program, i was looking in new programs and then I read about how Facetime had leaked audio if you try to call someone — even if they don’t pick up and another report by google zero day team detailing how they found similar bugs in many similar audio video apps. So i started looking for similar bugs in messenger( less technical stuff )
Victim is using messenger for android
Attacker is using facebook web app in edge/chrome.
Bug in Messenger Room
The bug was simple yet thought provoking and you had to like wait a few minutes for the bug to be seen in effect so i think other’s didn’t find it before me.
Moving on to the bug
You are a victim’s friend and you are in a messenger room call with the victim. You, as an attacker can enter in the call with victim with your camera off by disabling it in the chrome or edge settings. On doing so after being in the call for like 1–2 minutes the victim get’s a full screen alert(popup) in his messenger call UI saying that “Since another person(attacker) in the call didn’t open their video they won’t be able to see your video too”. So facebook is adding another layer of privacy here.
What should be happening?
In normal messenger call(not messenger room) after the victim gets this alert “Since another person(attacker) in the call didn’t open their video they won’t be able to see your video too”,, the victim’s video is stopped and another person on the call can’t see the victim’s video. COOL.
But in Messenger room call though the victim get’s the alert that none can see your video but the attacker can see the video. The popup/ whole screen alert is persistent. Even though the attacker is seeing the victim’s video, victim’s will keep on getting the notification in the UI that your video isn’t being seen by anyone.
So the main issue was how that popup was telling the victim that none is seeing your video when the opposite was happening.
So Facebook fixed the issue and paid 5k USD + late bonus
Now comes the interesting part
The Bypass (Better than original bug )
On further looking everything was working perfectly, the messenger room condition was perfectly fixed. I couldn’t find any bypass.
But there was a peculiar feature of facebook messenger. Most people mayn’t know. We have call continuity in messenger, meaning we can call someone from messenger on android and later go to messenger on browser and resume the call from there without ending the call. So we are going to use this in our bypass.
a. Victim is in a audio call with attacker on messenger
b. Victim clicks on video option. On clicking that attacker gets a UI notification saying, victim wants to join video call. Attacker clicks no
c. Now attacker can’t see the victim’s video since attacker didn’t open his video
d. Main part Victim get’s a popup/full screen UI saying “Since another person(attacker) in the call didn’t open their video, they (attacker)won’t be able to see your video too”
e. Now victim may think that their video isn’t being shared since the popup say’s so.
f. But attacker has an idea
g. Attacker who is on messenger main app, now switches to messenger lite app and audio call the victim, on doing so because of the continuity feature attacker can continue the call with victim , the interesting part here is on switching to messenger lite and continuing the call pressing audio call(strictly not video), attacker can see victim’s video (problem isn’t attacker seeing victim video but the victim getting the message/notification in the UI saying your video isn’t being shared ).
You could only do this by switching the call using messenger lite only. Messenger lite was lacking some protocol giving rise to the bug.
Facebook response about the bug
So Facebook fixed this bug in less than a month(Hoped they took longer😅 as I didn’t get late bounty ). They paid me 5K again plus league bonus.
In this way I made 10K total plus bonuses from meta bug bounty program and made it in hall of fame for 2021 and 2022.
And the bug using this method is completely fixed as facebook team totally removed the on screen popup/notification and the bugs where attacker can see victim’s without opening their camera first won’t be accepted since the popup that told victim none is seeing your video is removed.
Thanks for reading.