🟧Logic flaw k1lled business messaging for all users
This's How to Prevent users from functions you do not have access to!
Hello, friend! This is mrhashimamin
. And I’m back today with a new write-up for you, ma amigo <3.
So, let’s get to it. Today’s story is about An interesting logic bug
I found on msg-app.com
. Check my last write-up—we’ve talked about this target before.
Business Messaging?
Business Messaging is a messaging solution designed for customer engagement between businesses and users
. It enables companies to integrate 1-on-1 or group chat
, file sharing
, notifications
, and automation into their apps or websites
.
Okay, to understand this better, you need to know:
Campaign: Targeted, automated messages to
engage users
.Template:
Pre-made message
designs for personalizednotifications across channels
.Push Channel: Manages mobile push notifications (when app isn’t open).
Big Note: Push channels can’t be deleted/edited
. (And that’s where I started hacking xD)
From my experience with this app, I knew there were only two channel types
(via API):
Open channels
Group channels
First thing I tried? Delete the push channel
to see what happens:
DELETE /api/open_channels/push-channel
→400 Bad Request
(not deleted)

DELETE /api/group_channels/push-channel
→200 OK
(deleted)

Impact?
Now when you try to
access templates
, you can’t.

You can
create a template
, butyou can’t create a campaign
—because themain push channel
is gone.Even
if you create a new push channel
to fix this, you still can’t make new campaigns.
Result? Broken templates/campaigns
, Are owners want to break their own org
? So... ¯_(ツ)_/¯
To see the real impact:
Create a custom role with these permissions:
Chat
View
Moderate group channels (
so they can delete push channels
)
Normally, an attacker can:
Delete
group channels
✅
But shouldn't be able to:
Delete
push channels
❌Access
business messages feature/channels
❌
Push channels shouldn't be deletable at all.

That's the story for today. I hope you find this write-up useful. Thanks, and keep hacking 3>
Last updated