Full Report
Meta's Facebook Messenger can use end-to-end encryption. In particular, you can select a friend and decide to start a conversation with them. Because the chat is encrypted, everything must be verified on the client-side. This creates a pretty large attack surface that the author of this post looked into. The author was playing around with Android and sending attachments to a user on a Windows computer with encrypted chat. The author tried a trick as old as security itself: path traversal. They added some ../ to the path to see what would happen. If a victim can receive messages from you then you can add a file into any location on their Windows machine! This has two crucial limitations: files cannot be overwritten and there's a character limit of 256 symbols because of the Windows FS limit. The path that the file name is appended to has a 212 symbols, giving us 44 available to work with. To get to the main C drive with a traversal, we only have 12 characters left. What to do? Slack and Viber are very small names. So, the author decided to try to exploit these directories. By using DLL hijacking, they were able to add a DLL that those programs would execute. Naturally, this led to RCE on the victim devices. Initially, they received a payout of 35K. They linked to a bug bounty page about payouts and claimed that the information provided was insufficient. After doing that, they were aware of another 75K. It's essential to push back on your payouts!
Analysis Summary
# Vulnerability: Path Traversal and RCE in Facebook Messenger for Windows via Encrypted Chats
## CVE Details
- **CVE ID**: Not explicitly assigned in the report (Meta internal tracking).
- **CVSS Score**: Estimated 8.5 - 9.0 (High/Critical)
- **CWE**: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-427 (Uncontrolled Search Path Element)
## Affected Systems
- **Products**: Meta Facebook Messenger for Windows.
- **Versions**: Found in v212.1.0.15.233 (Confirmed June 2024).
- **Configurations**: Messenger for Windows receiving encrypted chat messages with file attachments.
## Vulnerability Description
Individual Facebook Messenger clients must perform client-side validation for files received in end-to-end encrypted (E2EE) chats, as Meta's servers cannot inspect the content. The Windows client failed to properly sanitize attachment filenames, allowing for a **Path Traversal** attack using encoded `..\\` sequences.
Due to the deep directory structure where Messenger stores media (212 characters), an attacker is limited by the Windows MAX_PATH (256 characters) and a lack of file overwrite capabilities. However, by using approximately 11-12 traversal steps, an attacker can reach the `AppData\Local` directory. From there, they can drop malicious DLLs into the folders of other installed applications (e.g., Viber or Slack) to trigger **DLL Hijacking**.
## Exploitation
- **Status**: PoC available/Demonstrated to vendor.
- **Complexity**: Low (requires only the ability to send a message to the victim).
- **Attack Vector**: Network (Remote).
## Impact
- **Confidentiality**: High (Full system access via RCE).
- **Integrity**: High (Ability to drop and execute arbitrary code).
- **Availability**: High (Potential for persistent malware or system disruption).
## Remediation
### Patches
- Meta has patched the Facebook Messenger for Windows client. Users should ensure they are running the latest version of the Messenger desktop application (versions released after June 2024).
### Workarounds
- Limit message reception to "Friends Only" or "No one" in Messenger's privacy settings to prevent unsolicited accounts from sending malicious attachments.
- Exercise caution when accepting encrypted chat requests from unknown or suspicious accounts.
## Detection
- **Indicators of Compromise**: Presence of unexpected DLLs in subfolders of `C:\Users\<user>\AppData\Local\`, specifically filenames like `qwave.dll` or similar common hijacking targets in folders like `\Viber\` or `\Slack\`.
- **Detection Methods**: Monitor file creation events in specialized application data paths by the Messenger process (`Messenger.exe`).
## References
- Original Writeup: hxxps[://]www[.]vulnano[.]com/2025/09/remote-code-execution-though[.]html
- Meta Bug Bounty Program: hxxps[://]bugbounty[.]meta[.]com/payout-guidelines/mobile-rce/
- PoC Video: hxxps[://]youtu[.]be/wvywPUdTIPA?si=rPCoGAukL80pv5Fw