Ability to send payment requests inspite of being blocked by the recipient

TL;DR - I, as an attacker could send payment requests to anyone on Facebook even if:

  • I am not a friend of the victim recipient

  • The victim recipient has explicitly blocked me from sending any messages in Facebook Messenger

And, if you are interested in the details, here goes..

Payment requests are normally sent as messages from the Messenger (and can only be sent to a friend) but if you are blocked from sending messages by somebody (whether a friend or not a friend), you can't technically send payment requests or any messages for that matter from the Facebook Messenger UI.

I observed that this wasn't completely true. If you could capture a request to send payment requests (to lets say a legit friend who hasn't blocked you from sending messages), it was possible to just replay that same request using a proxy tool such as Burp (and changing the recipient ID to the victim's ID or for that matter anyone on Facebook) and it would be sent successfully. Another problem with this was that the victim would receive an email saying that Attacker has sent you a payment request. So, this was also abusing the Facebook platform to spam anyone on Facebook and/or carry a spear phishing campaign.

The request looked like below:

POST /p2p/payment_requests/_create/ HTTP/1.1 Host: www.facebook.com Cookie: c_user=<redacted>; xs=<redacted>; Connection: close amount=<amount_requested>&offline_threading_id=<redacted>&requestee_id=<profile_id_who_to_send_to>&__a=1&fb_dtsg=<csrf_token>

Facebook rewarded $1500 for this bug.

If you like the content and don't want to miss out on new posts, enter your email and hit the Subscribe button below. I promise I won't spam. Only premium content!