Share
Facebook Messenger Remote Denial of Service Vulnerability Report by Social Engineering Neo.  
  
  
Affected Platforms: -  
Android ≤9  
IOS ≤11  
Messenger  
Messenger Lite  
  
  
Tested On: -  
Android 6 & 7  
IOS 11  
Messenger (build 228.1.0.10.116)  
Messenger Lite (build 65.0.1.18.236)  
  
  
Class: -  
Denial of Service.  
  
  
Summary: -  
All versions of Messenger Lite and Multiple Versions of Messenger are susceptible to a Remote Denial of Service Vulnerability.  
  
  
Short Description: -  
A user can remotely crash a user’s Messenger application by sending a message containing a single character.  
  
  
Long Description: -  
'ATTACKER' sends a single soft hyphen to 'VICTIM'  
Upon opening the message, the Messenger application on 'VICTIM' device crashes when loading the single character.  
  
  
Proof of Concept: -  
####  
Tested on Latest Version of Messenger Lite on Android 6  
  
'ATTACKER' send single soft hyphen to 'VICTIM'  
'VICTIM' open message sent by 'ATTACKER'  
####  
  
VIDEO: - https://youtu.be/En1npDpgv_o  
  
  
Expected Result: -  
It shouldn't be possible to remotely crash the application on a remote user’s device.  
  
  
Observed Result: -  
Application remotely crashes upon loading message.  
  
  
Our Recommendation:  
Change the way soft hyphens are loaded in the application.  
  
  
CVSS v3 Vector: -  
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:F/RL:O/RC:R/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:L/MA:H  
  
CVSS Base Score: - 8.2  
Impact Subscore: - 4.2  
Exploitability Subscore: - 3.9  
CVSS Temporal Score: - 7.3  
CVSS Environmental Score: - 7.3  
Modified Impact Subscore: - 4.2  
Overall CVSS Score: - 7.3  
  
  
CVSS v2 Vector: -  
AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:OF/RC:UR/CDP:LM/TD:M/CR:ND/IR:ND/AR:ND  
  
CVSS Base Score: - 8.5  
Impact Subscore: - 7.8  
Exploitability Subscore: - 10.0  
CVSS Temporal Score: - 6.7  
CVSS Environmental Score: - 5.7  
Modified Impact Subscore: - 7.8  
Overall CVSS Score: - 5.7  
  
  
TIMELINE: - Discovery 2017  
: - Initial Report 23rd August 2019  
: - Case Opened 23rd August 2019  
: - Added Detail 24th August 2019 *Public Disclosure Date: - Sep 18th 2019 UTC -08:00 (25 days from initial report)*  
: - Added Detail 27th August 2019  
: - Response 27th August 2019  
: - Added Detail 27th August 2019  
: - Response 29th August 2019  
: - Added Detail 29th August 2019  
: - Response 1st September 2019  
: - Added Detail 1st September 2019  
: - Case Closed 5th September 2019 *PATCH RELEASED PUBLICLY*  
: - Added Detail 5th September 2019 *Public Disclosure Date: - Jul 6th 2019 UTC -08:00 (24 hours from patch)*  
  
: - We thank the Facebook Security team for their quick patch.