This post is about a simple bug I found in Facebook which allowed me to chat with any non-friend minor.
It is a privacy issue where a user could send messages to a minor who is a total stranger, when they shouldn't be able to do.
According to Facebook,
Minors can receive messages only from people who are friends of friends and people who have their contact information (ex: email address or phone number). This may include adults they don’t know.
But there it was easy to send messages to a minor for an unknown adult.
For a minor who have changed his/her message preferences from Basic Filtering to Strict Filtering (for more privacy)
in privacy settings,this simple trick worked.
Do a graph check to get fbid.
http://graph.facebook.com/victim
Visit
https://www.facebook.com/messages/fbid of the minor
Name of the minor appeared in the field "To:"
I sent a "hi" without seeing any error as usual.
Then I logged in to minor's account to check if the message was received. The message showed up right in their inbox.
Issue was fixed and rewarded me a bounty after it was reported to the security team.
