Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Facebook Messenger Denial Of Service

🗓️ 06 Sep 2019 00:00:00Reported by Social Engineering NeoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 318 Views

Facebook Messenger Remote Denial of Service Vulnerability in Android and iO

Code
`Facebook Messenger Remote Denial of Service Vulnerability Report by Social Engineering Neo.  
  
  
Affected Platforms: -  
Android ≤9  
IOS ≤11  
Messenger  
Messenger Lite  
  
  
Tested On: -  
Android 6 & 7  
IOS 11  
Messenger (build 228.1.0.10.116)  
Messenger Lite (build 65.0.1.18.236)  
  
  
Class: -  
Denial of Service.  
  
  
Summary: -  
All versions of Messenger Lite and Multiple Versions of Messenger are susceptible to a Remote Denial of Service Vulnerability.  
  
  
Short Description: -  
A user can remotely crash a user’s Messenger application by sending a message containing a single character.  
  
  
Long Description: -  
'ATTACKER' sends a single soft hyphen to 'VICTIM'  
Upon opening the message, the Messenger application on 'VICTIM' device crashes when loading the single character.  
  
  
Proof of Concept: -  
####  
Tested on Latest Version of Messenger Lite on Android 6  
  
'ATTACKER' send single soft hyphen to 'VICTIM'  
'VICTIM' open message sent by 'ATTACKER'  
####  
  
VIDEO: - https://youtu.be/En1npDpgv_o  
  
  
Expected Result: -  
It shouldn't be possible to remotely crash the application on a remote user’s device.  
  
  
Observed Result: -  
Application remotely crashes upon loading message.  
  
  
Our Recommendation:  
Change the way soft hyphens are loaded in the application.  
  
  
CVSS v3 Vector: -  
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:F/RL:O/RC:R/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:L/MA:H  
  
CVSS Base Score: - 8.2  
Impact Subscore: - 4.2  
Exploitability Subscore: - 3.9  
CVSS Temporal Score: - 7.3  
CVSS Environmental Score: - 7.3  
Modified Impact Subscore: - 4.2  
Overall CVSS Score: - 7.3  
  
  
CVSS v2 Vector: -  
AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:OF/RC:UR/CDP:LM/TD:M/CR:ND/IR:ND/AR:ND  
  
CVSS Base Score: - 8.5  
Impact Subscore: - 7.8  
Exploitability Subscore: - 10.0  
CVSS Temporal Score: - 6.7  
CVSS Environmental Score: - 5.7  
Modified Impact Subscore: - 7.8  
Overall CVSS Score: - 5.7  
  
  
TIMELINE: - Discovery 2017  
: - Initial Report 23rd August 2019  
: - Case Opened 23rd August 2019  
: - Added Detail 24th August 2019 *Public Disclosure Date: - Sep 18th 2019 UTC -08:00 (25 days from initial report)*  
: - Added Detail 27th August 2019  
: - Response 27th August 2019  
: - Added Detail 27th August 2019  
: - Response 29th August 2019  
: - Added Detail 29th August 2019  
: - Response 1st September 2019  
: - Added Detail 1st September 2019  
: - Case Closed 5th September 2019 *PATCH RELEASED PUBLICLY*  
: - Added Detail 5th September 2019 *Public Disclosure Date: - Jul 6th 2019 UTC -08:00 (24 hours from patch)*  
  
: - We thank the Facebook Security team for their quick patch.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Sep 2019 00:00Current
7.4High risk
Vulners AI Score7.4
facebook messengerdenial of serviceremote vulnerabilityandroidiosmessenger lite
318