search
Bugcrowd Profile
Page cover

🟧Logic flaw k1lled business messaging for all users

This's How to Prevent users from functions you do not have access to!

Hello, friend! This is mrhashimamin. And I’m back today with a new write-up for you, ma amigo <3.

So, let’s get to it. Today’s story is about An interesting logic bug I found on msg-app.com. Check my last write-up—we’ve talked about this target before.

hashtag
Business Messaging?

Business Messaging is a messaging solution designed for customer engagement between businesses and users. It enables companies to integrate 1-on-1 or group chat, file sharing, notifications, and automation into their apps or websites.

Okay, to understand this better, you need to know:

  • Campaign: Targeted, automated messages to engage users.

  • Template: Pre-made message designs for personalized notifications across channels.

  • Push Channel: Manages mobile push notifications (when app isn’t open).

Big Note: Push channels can’t be deleted/edited. (And that’s where I started hacking xD)

From my experience with this app, I knew there were only two channel types (via API):

  • Open channels

  • Group channels

First thing I tried? Delete the push channel to see what happens:

  • DELETE /api/open_channels/push-channel400 Bad Request (not deleted)

  • DELETE /api/group_channels/push-channel200 OK (deleted)

Impact?

  • Now when you try to access templates, you can’t.

  • You can create a template, but you can’t create a campaign—because the main push channel is gone.

  • Even if you create a new push channel to fix this, you still can’t make new campaigns.

Result? Broken templates/campaigns, Are owners want to break their own org? So... ¯_(ツ)_/¯

hashtag
To see the real impact:

Create a custom role with these permissions:

  • Chat

  • View

  • Moderate group channels (so they can delete push channels)

Normally, an attacker can:

  • Delete group channels

But shouldn't be able to:

  • Delete push channels

  • Access business messages feature/channels

Push channels shouldn't be deletable at all.

That's the story for today. I hope you find this write-up useful. Thanks, and keep hacking 3>

PreviousExploiting the Authentication Flow to Block Any User from Logging In/Resetting Password + An IDORNextH4ck1ng the Same App for a Month -> $$$$

Last updated