Facebook "Spam" DoS

Using Spam to Spam and Crash FB Messenger 2018

Some may look at the Tittle and think ohhhh they found a way to do a Denial of Service (DoS) by some new fancy spearphishing attack… well you would be 100% amazing and spectacularly… wrong.

we found a way to crash both the Facebook messenger desktop app on windows and the android messenger app and here’s how we did it…

So one day while sitting in the college area common area being dysfunctional rejects that we are, we were talking about denial of services and buffer overflows, because nerds right. Every other college student is there talking about parties and drinking and our small group is sitting there laughing at the workings of EternalBlue and how simplistic and beautiful an attack it was but at the same time how skids are still using LOIC.

Between chugs of our usual poison of choice, Ultra Sugar-Free Monster someone spews out I wonder how big the memory buffer is for Facebook messenger and how much would it take to crash it. Of course, we got thinking, then we got to googling and we found nothing. 

So we like any other caffeine-fueled Mark Zuckerburg wannabees we decided to take a look at the app and see what we could find out. No intentions to be malicious or anything, just of curiosity… I know what your thinking, but again we are hopped up on the finest of caffeine, in between D&D campaigns and burnt out on magic the gathering.

So like any reasonable college student would say, “CHECK THE SOURCE”. we did the complete opposite and started devising a plan on how we can troll our friend and unwilling Target which happened to be @AlanTheBlank and in a form of targeted harassment and screams of why me.

I and two others came up with a devilish plan to use the one thing that can be Spammed and never be hated. SPAM, that glorious meat in a can no one knows what it truly is other than one a college budget, a can spam, bread, cheese, butter, and a pack of eggs is 3 meals of Slaty, meaty mouthwatering, spam, egg, and cheese sandwich… I’m hungry now

Anyway back on point, Yes CyberBulling my close friend Alan, we started our onslaught of spamming pictures of random cans of spam at Alan, to no avail he was still able to message back that we failed.

Until I found a collection of large-sized pictures of a Can of Spam, not just large but a 5mb High-quality image of a can of spam looking all artistic and presentable. The image on the left is a reduced size version of one of the images for the post

Between screams of pain and agony of Alan attempting to send messages and his phone constantly making that noise we all both love and hate, we had started to produce some issues for the device.

These issues were in the form of lagging in the photos being sent, the in-ability for Alan to open another message conversation or the application on his android device before it would crash-out and fail.

Alans Shared images bar look like what would expect, Spammed. This can be seen in the image on the right

It took a total of 5 minutes of spamming images into the group chat for every member of the group to have a failure at the same time, we would call this a success. We had guys in the group chats names set to XSS queries to see if on failure would it pop and XSS or if sending a message would pop one.

The group chat was an all-around Nightmare, turned out that after we did this no one was able to use our special meme chat, where we had some of the best memes, it was a travesty our lost treasure trove of some of the darkest Humour we could find.

Due to the constant crashing when opening the meme chat, we had to abandon the test and the chat and work with a guesstimation of the amount we sent. Working on the assumption of 48 pictures sent at 5.0123mb size photos being compressed and used is what caused the crash.

We could have potentially gone further, and seen what could have been exploited after finding this crash. But we felt it was against ethics and would seek to clarify it further. We did this by reporting the issue to a college friend who was working in Facebook at the time as an engineer, to which the only response we received was “you guys are idiots…. never change” and some free Coors lights at the office one Tuesday evening (Thanks for the beer Mark)

What you see on the left is a screenshot of the failure crashing out the Facebook messenger, to the point that it was unable to refresh, and even split on the screen as can be seen in the images.

Or in more professional terms a simple overflow of the memory causing the application to crash for all users in the conversation