Facebook Messenger for MacOS contained valid hardcoded FB access token (employee's token?)


At summer I decided to test Facebook Messenger for MacOS. Grepped all urls from code and started to analyze them. Quickly I noticed few urls on image with "access_token" value:

Cool! Interesting is this token still valid?

I opened https://developers.facebook.com/tools/debug/accesstoken/?access_token= and got confirmation: the token is valid!

I stopped experiments and rapidly sent report to Facebook Team.

All time before bounty decision I hoped that this token had some extra internal permissions. Unfortunately for me looks like it was just normal token, probably from Facebook employee, without any extra access. I think some software developer placed such link by mistake inside the app and it went over whole world))
So, be careful and attentive when you investigate hardcoded data inside apps ;)

  • Facebook Messenger v. 97.11.116 ( for MacOS
  • Submitted: 27.07.2021 10:08AM
  • Triaged: 27.07.2021 12:36AM
  • Fixed: 27.07.2021 12:45AM (token became invalid, may be system automatically invalidated the token or Facebook team did it)
  • Fix notification: 04.08.2021
  • Reward: $500 (+$125 bonus) 08.09.2021

Popular posts from this blog

Homograph attack on domains with K

Facebook Messenger server random memory exposure through corrupted GIF image