Spam messages deleted from Instagram still visible on the Facebook notifications and clutter the notifications box.

Vuln Type

Privacy / Authorization

Product Area

Pages

Description

I have a Facebook page that is connected with the Instagram page. Whenever anyone sends a message on my Instagram page, I get a notification on my Facebook account.

If a User has sent 10 messages to the Instagram page, I get 10 individual notifications on my Facebook account. When I deleted a spammer message request, it got deleted from my Instagram messages folder but these spam messages were still visible on my Facebook notifications. These were visible to other admins and editors. Even blocking the spammer, the messages notification will remain there on the Facebook notifications. This clutters the notification inbox and makes it very difficult for using the account and selecting a genuine notification. Notification is like “User A to [PageName]:”message text”.

When a user sends messages on a Facebook page, such as if a user has sent 10 messages, it will show one notification on the notification box “User A send a message to [PageName]: “message text”. This is intended and works fine.

So the problem is with Instagram messages from users, which has a huge impact.

These message notifications are visible on the Facebook website(Laptop) and FB lite app.

Impact
An attacker can send a message using the Instagram web or Instagram app.

An attacker sends thousands of messages that will fill up the Admin account with thousands of notifications, this makes it very difficult for him to see the genuine notification. (a kind of DOS Attack too)

An attacker sends Spam messages, Admin deletes them from Instagram, but it is still visible on Facebook notifications.

An attacker sends a Spam message, Admin blocks the user, it disappears from Instagram but still remains on Facebook notifications.

Any user unsend a message, it gets deleted from Instagram but it is still visible on the notification.

Deleted messages are still visible to everyone who handles the Page.

Makes it uneasy for the Team to work.

When the admin deletes the chat history of a user, it should not be visible in the notification box. If the deleted messages can be viewed again through notification then what is the meaning of deleting.

If an Admin has not accepted the message request from an Attacker and that user has sent thousands of messages, it overloads the notifications box and the page admin becomes helpless to see the authentic update on his page. Even if he deletes the chat or blocks the user, those messages remain there in the notifications.

Facebook Team Reply:

Hi R,

Your report appears to describe a spam attack against Facebook users and infrastructure, which is out of scope for our program. Additionally, we are aware that messages that were deleted for everyone might, in some scenarios, still show up in a push notification. Our capabilities of removing push notifications is limited in certain edge cases due to how these systems are implemented in mobile operating systems. Unfortunately in this scenario, we are unable to remove the push notification. However, you can manually remove notifications by selecting the 3 dots next to the notification and choosing that option in the menu. Although we appreciate the report, such issues do not qualify under our bug bounty program.

Thanks,

If you learn something new, you can send some coffee here.😉

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store