Facebook Messenger for MacOS contained valid hardcoded FB access token (employee's token?)


At summer I decided to test Facebook Messenger for MacOS. Grepped all urls from code and started to analyze them. Quickly I noticed few urls on image with "access_token" value:

Cool! Interesting is this token still valid?

I opened https://developers.facebook.com/tools/debug/accesstoken/?access_token= and got confirmation: the token is valid!

I stopped experiments and rapidly sent report to Facebook Team.

All time before bounty decision I hoped that this token had some extra internal permissions. Unfortunately for me looks like it was just normal token, probably from Facebook employee, without any extra access. I think some software developer placed such link by mistake inside the app and it went over whole world))
So, be careful and attentive when you investigate hardcoded data inside apps ;)

  • Facebook Messenger v. 97.11.116 ( for MacOS
  • Submitted: 27.07.2021 10:08AM
  • Triaged: 27.07.2021 12:36AM
  • Fixed: 27.07.2021 12:45AM (token became invalid, may be system automatically invalidated the token or Facebook team did it)
  • Fix notification: 04.08.2021
  • Reward: $500 (+$125 bonus) 08.09.2021

Popular posts from this blog

Facebook Messenger server random memory exposure through corrupted GIF image

React debug.keystore key was trusted by Meta(Facebook) which caused to Instagram account takeover by malicious apps.

Meta Quest: Attacker could make any Oculus user to follow (subscribe) him without any approval