In the high-stakes world of bug bounty hunting, a single vulnerability can be the key to unlocking a significant reward. But what happens when a seemingly simple bug is chained with another, turning a file placement issue into full-blown Remote Code Execution (RCE)? This is the story of a critical vulnerability discovered in Facebook Messenger for Windows during the Meta BountyCon hacking event in June 2024, a finding that ultimately led to a first-place finish and a massive $111,750 payout.

This write-up breaks down the entire attack chain, from an initial path traversal flaw to a clever DLL hijacking technique, demonstrating how creative thinking and persistence can elevate a simple bug into a critical security threat.

The Initial Foothold: Path Traversal in Encrypted Chats

The investigation began by probing the end-to-end encrypted (E2EE) chat feature in Messenger. In an E2EE environment, the client application is responsible for validating all incoming data, as the server has no visibility into the encrypted content. This client-side trust model often presents a rich attack surface.

The theory was simple: if the Messenger for Windows client mishandled file attachments sent over an encrypted channel, it could lead to a vulnerability. By sending an attachment with a specially crafted filename containing path traversal sequences (%2e%2e%5c, the URL-encoded version of ..\), a flaw was quickly identified.

The Messenger client naively accepted the filename, placing the attachment at a location dictated by the traversal sequences. For instance, a file named ..\test.bat would be saved outside of its intended directory. The full path looked something like this:

C:\Users\vulna\AppData\Local\Messenger\TamStorage\media_bank\AdvancedCrypto\100027775233281\persistent\da7a85eb-aac7-46da-9cba-7a2f38f88e08\2024\06\03\20240603T091559605.att.04484a15-4cbf-4a1d-9e65-a48c59dcc7a2\..\test.bat

This confirmed a classic path traversal vulnerability. An attacker could send a message to a victim and write an arbitrary file to a location on their Windows machine. However, this was far from a game-over scenario.

The Obstacle: Windows Path Length Limitation

The initial excitement was quickly tempered by a significant constraint: the Windows MAX_PATH limitation. The maximum length for a file path in Windows is typically 260 characters. The base directory where Messenger stored the attachment was already incredibly long:

C:\Users\vulna\AppData\Local\Messenger\TamStorage\media_bank\AdvancedCrypto\100027775233281\persistent\da7a85eb-aac7-46da-9cba-7a2f38f88e08\2024\06\03\20240603T091559605.att.04484a15-4cbf-4a1d-9e65-a48c59dcc7a2\

This path alone consumed 212 characters, leaving only 48 characters for the traversal sequence and the final payload filename. Each ..\ sequence uses 3 characters, so traversing up the directory tree was costly. Traversing 11 levels up (..\..\..\..\..\..\..\..\..\..\..) consumed 33 characters, landing the file in C:\Users\vulna\AppData\Local\.

This left a meager 15 characters for the destination folder and filename. Furthermore, the vulnerability did not allow for overwriting existing files. The challenge was now to find a way to achieve code execution with a 15-character filename in a directory filled with files from other applications.

The Pivot: Achieving RCE via DLL Hijacking

The solution lay in a well-known Windows attack technique: DLL Hijacking. Many applications, when they start, attempt to load Dynamic-Link Libraries (DLLs) that they need to function. They often search for these DLLs in a predefined order, which typically includes the directory the application is running from. If an attacker can place a malicious DLL with the correct name in a location that is searched before the legitimate DLL, the application will load the malicious code.

Research revealed that other popular applications installed on the victim machine, such as Viber and Slack, were vulnerable to this attack. Specifically, the Viber client, when launched, would attempt to load the qwave.dll library from its own application directory: C:\Users\vulna\AppData\Local\Viber. Crucially, this DLL was not present in that directory by default.

This was the golden ticket. The payload path would be:

..\Viber\qwave.dll

This path is exactly 19 characters long. After careful recalculation of the traversal sequence, the final filename was crafted:

%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cViber%5cqwave.dll

When the victim received this file via an encrypted Messenger chat, the client would save the malicious qwave.dll into C:\Users\vulna\AppData\Local\Viber\. The next time the victim launched Viber, the application would load and execute the attacker's code, achieving remote code execution without any further user interaction.

Attack Demonstration and Timeline

The full attack was demonstrated in the following video, showing how sending a file via Messenger leads to code execution on the victim’s Windows machine.

You can watch the proof-of-concept video here: Attack Demonstration

The disclosure timeline highlights the process of reporting the vulnerability and negotiating the bounty:

• June 3, 2024: Initial report detailing the path traversal vulnerability was submitted. Meta’s security team acknowledged the issue and noted that demonstrating code execution would significantly increase the reward.
• June 5, 2024: The full RCE chain using DLL hijacking via Viber was submitted.
• August 8, 2024: An initial reward of $34,500 was issued. After a discussion regarding Meta’s payout guidelines for mobile RCE, the reward was reassessed.
• August 23, 2024: The final reward was adjusted to $75,000, which, combined with bonuses, totaled $111,750.

Key Takeaways

This discovery is a powerful example of how multiple, lower-severity vulnerabilities can be chained together to create a critical impact. Here are the key lessons for both security researchers and developers:

• Client-Side Validation is Critical: In end-to-end encrypted systems, the client application is the last line of defense. All data received from external sources, including filenames, must be rigorously sanitized and validated.
• Never Underestimate “Minor” Bugs: A path traversal bug with strict limitations might seem like a low-impact finding. However, when combined with other weaknesses in the environment, like a DLL hijacking vulnerability, its severity can be dramatically amplified.
• Understand the Environment: A deep understanding of the operating system and other applications running on it can reveal unexpected pathways to exploitation. Knowledge of techniques like DLL hijacking is essential for turning a bug into a full-blown exploit.
• Persistence Pays Off: The initial finding was valuable, but pushing further to achieve RCE was what led to a six-figure payout. Always explore the full potential impact of a vulnerability.

Reference :

• https://www.vulnano.com/2025/09/remote-code-execution-though.html
• https://www.youtube.com/watch?v=wvywPUdTIPA