Ability to send payment requests inspite of being blocked by the recipient
TL;DR - I, as an attacker could send payment requests to anyone on Facebook even if:
-
I am not a friend of the victim recipient
-
The victim recipient has explicitly blocked me from sending any messages in Facebook Messenger
And, if you are interested in the details, here goes..
Payment requests are normally sent as messages from the Messenger (and can only be sent to a friend) but if you are blocked from sending messages by somebody (whether a friend or not a friend), you can't technically send payment requests or any messages for that matter from the Facebook Messenger UI.
I observed that this wasn't completely true. If you could capture a request to send payment requests (to lets say a legit friend who hasn't blocked you from sending messages), it was possible to just replay that same request using a proxy tool such as Burp (and changing the recipient ID to the victim's ID or for that matter anyone on Facebook) and it would be sent successfully. Another problem with this was that the victim would receive an email saying that Attacker has sent you a payment request. So, this was also abusing the Facebook platform to spam anyone on Facebook and/or carry a spear phishing campaign.
The request looked like below:
POST /p2p/payment_requests/_create/ HTTP/1.1 Host: www.facebook.com Cookie: c_user=<redacted>; xs=<redacted>; Connection: close amount=<amount_requested>&offline_threading_id=<redacted>&requestee_id=<profile_id_who_to_send_to>&__a=1&fb_dtsg=<csrf_token>
Facebook rewarded $1500 for this bug.
