Session Misconfiguration in Messenger Lite Android App
NOTE : THIS IS BEING PUBLISHED WITH THE PERMISSION OF FACEBOOK UNDER THE RESPONSIBLE DISCLOSURE POLICY. THE BUG IS FIXED NOW.
Sessions Were Not Properly Terminated Under Security And Login :
ABOUT THE FEATURE :
You can manage where you’re logged into Facebook in Security and Login Settings. The Where You’re Logged In section lists where you’re currently logged in. Each entry includes a date, time, location and device type.
To log out of Facebook on another computer, phone or tablet:
- Go to your Security and Login Settings
- Click Where You're Logged In
- Find the session you want to end and click End Activity
Clicking End Activity will immediately log you out of Facebook on that device.
ABOUT THE BUG :If the Messenger Lite Android Application is already running while logging out for it's session via Security and Login Settings then application is required to restart, then only session will be expired or else still messages can be sent and receive.
PROOF OF CONCEPT :
TIMELINE :12 Sept 2017 : Initial Report Sent to Facebook
22 Sept 2017 : Escalation By Facebook
11 Oct 2017 : Facebook Deployed A Complete Fix on Issue
01 Nov 2017 : Bounty of $1000 Rewarded By Facebook