Messenger
www.messenger.com
App Quality Report
Powered by Testers.AI
Category Index → Competitive Grid → Category Report →
B84%
Quality Score
6
Pages
63
Issues
8.2
Avg Confidence
8.2
Avg Priority
36 Critical19 High8 Medium
Testers.AI
>_ Testers.AI AI Analysis

Messenger was tested and 63 issues were detected across the site. The most critical finding was: AI/LLM endpoint calls detected on page load. Issues span Security, A11y, Performance, Other categories.

Qualitative Quality
Messenger
Category Avg
Best in Category
Issue Count by Type
A11y
17
Content
17
Security
13
UX
9
Pages Tested · 6 screenshots
Screenshot
Homepage
Screenshot
www.messenger.com
Screenshot
www.messenger.com
Screenshot
www.messenger.com
Screenshot
www.messenger.com
Screenshot
www.messenger.com
Detected Issues · 63 total
1
AI/LLM endpoint calls detected on page load
CRIT P10
Conf 9/10 SecurityOther
Prompt to Fix
Modify the page loading logic to remove or defer AI/LLM endpoint calls during initial paint. Implement a user-consent prompt or a clear feature flag before any AI calls are made. Replace immediate on-load calls with a lazy-loading approach and document AI usage in privacy/disclosure text. Provide a minimal reproducible example showing how to gate the AI calls behind a user action.
Why it's a bug
The network/activity log contains repeated markers '⚠️ AI/LLM ENDPOINT DETECTED', suggesting automatic AI endpoint calls are being made during page load without explicit user interaction or consent. This raises privacy, security, and performance concerns.
Why it might not be a bug
If the app legitimately uses AI features, calls may be expected; however, performing them on load without user consent is inappropriate and should be gated.
Suggested Fix
Delay any AI/LLM endpoint calls until explicit user action or a clear consent prompt. Implement lazy loading or feature flags, and ensure prompts or data sent to AI endpoints are minimized. Add privacy disclosures and logs that do not reveal prompts.
Why Fix
Reduces potential data leakage, improves initial load performance, and aligns with user privacy expectations for GenAI features.
Route To
Frontend Engineer / Privacy & Security Specialist
Page
Messenger Privacy & Safety
Tester
Jason · GenAI Code Analyzer
Technical Evidence
Console: ⚠️ AI/LLM ENDPOINT DETECTED
Network: POST https://www.messenger.com/ajax/bz?__a=1&__ccg=EXCELLENT&__dyn=7xe6E5aQ1PyUbFp41twpUnwgU6C7UW1DxW0SU1nEhw2nVE4W099w8G1Qw5Mx61vw5zw78w5Uwdq0Ho2ewnE0Caaw4kwbS1Lw7JwcW0hi0Xo38w2Fo&__hs=20538.BP%3Amessengerdotcom_pkg.2.0...0&__hsi=7621483626590915215&__jssesw=1&__req=1&__rev=1036008164&__s=d2d5ub%3Aqnwtmu%3A3uffmp&__spin_b=trunk&__spin_r=1036008164&__spin_t=1774514937&__user=0&dpr=1&jazoest=22526&lsd=AdQq4E5hlL6OcZiRlxwzpzUhvKo
2
Authentication session tokens exposed in URL query parameters
CRIT P9
Conf 9/10 SecurityOther
Prompt to Fix
In the code that builds these requests, ensure that tokens and per-request identifiers (such as __aaid, __user, __a, __req, __dyn, __s, etc.) are not placed in the URL query string. Move sensitive data to secure HTTP headers (Authorization: Bearer <token>) or HttpOnly cookies with SameSite. Avoid logging full URLs with sensitive query params. Implement server-side redaction of sensitive query parameters in logs, enable HSTS, and enforce a strong Content Security Policy. Audit all endpoint calls to ensure no sensitive data is transmitted in URLs.
Why it's a bug
URL query parameters contain ephemeral tokens and internal identifiers such as __aaid, __user, __a, __req, __dyn, __s, and other dynamic values across multiple requests. These can be captured in browser history, server logs, analytics, or leaked via the Referer header when navigating to other sites. This pattern increases risk of token leakage, session hijacking, or replay attacks.
Why it might not be a bug
Some of these parameters may be non-secret internal identifiers used by the frontend; they could be transient and not used for long-term authentication. If tokens are short-lived and scoped per-request, the practical risk is reduced. However, best practice remains to avoid sensitive data in URLs.
Suggested Fix
Refactor API calls to avoid sending sensitive tokens in the URL query string. Move authentication/session tokens to HTTP headers (Authorization: Bearer <token>) or secure, HttpOnly cookies with SameSite. Remove sensitive parameters from query strings; redact or omit them from client logs. Prefer POST for sensitive state-changing actions and implement token rotation, strict referer policy, and robust Content-Security-Policy. Ensure logs do not露pose full URLs with sensitive query parameters.
Why Fix
Eliminates risk of token leakage through logs, history, or Referer headers, reducing session hijacking risk and aligning with secure development practices for web apps.
Route To
Security Engineer - Web/API
Page
Messenger
Tester
Sharon · Security Networking Analyzer
Technical Evidence
Console: GET https://www.messenger.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__dyn=7xe6E5aQ1PyUbFp41twpUnwgU6C7UW1DxW0SU1nEhw2nVE4W099wooa87i0n24o5-16wf50Fw4Hw9O0M82TwVw9O0Ho2ewnE0Caaw4kwbS1Lw60wr83ew4kwtU7m0O80Gm&__hsdp=g9tTMT3z1c&__spin_r=1036008164&__spin_b=trunk&__spin_t=1774514907&__jssesw=1
Network: GET https://www.messenger.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__dyn=7xe6E5aQ1PyUbFp41twpUnwgU6C7UW1DxW0SU1nEhw2nVE4W099wooa87i0n24o5-16wf50Fw4Hw9O0M82TwVw9O0Ho2ewnE0Caaw4kwbS1Lw60wr83ew4kwtU7m0O80Gm&__hs=20538.BP%3Amessengerdotcom_pkg.2.0...0&__hsi=7621483491884060758&__spin_r=1036008164&__spin_b=trunk&__spin_t=1774514907&__jssesw=1
3
PII/Tracking Identifiers Exposed in Messenger Bootloader Requests
CRIT P9
Conf 9/10 Other
Prompt to Fix
In the frontend code that builds requests to Messenger bootloader-endpoint, ensure that URL query strings do not include user-identifiers or device identifiers such as __aaid, __user, __s, __hs, __dyn. Replace with server-generated opaque tokens sent via POST body or HttpOnly cookies. Implement a data minimization review for each parameter in the bootloader-endpoint call and add consent gating for telemetry.
Why it's a bug
The bootloader-endpoint requests to messenger.com include identifiers such as __aaid and __user in the query string. These are tracking identifiers and potentially PII that can be correlated with a user or device. Exposing them in URLs can be logged, cached, or leaked via referer headers, violating data minimization and user privacy expectations.
Why it might not be a bug
Some telemetry tokens may be required for session initialization; however, including them in URLs is inherently risky as URLs can be stored in browser history and server logs. If tokens are strictly non-identifying, risk is reduced, but current payloads appear to be identifiers.
Suggested Fix
Remove or obfuscate identifiers (__aaid, __user, __s, __hs, __dyn, etc.) from URL query parameters in messenger bootloader and related endpoints. Use server-issued short-lived opaque tokens in a POST body or cookies with HttpOnly with consent-based telemetry. Implement data minimization and ensure any analytics/timestamp data is sent only with user consent.
Why Fix
Reducing exposure of personally identifiable or device identifiers in URLs prevents leakage via logs/history and reduces cross-site tracking risk, improving user privacy and compliance.
Route To
Privacy Engineer
Page
Messenger
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Console: GET https://www.messenger.com/ajax/bootloader-endpoint/?modules=MWForgotPasswordDialog.react&__aaid=0&__user=0&__a=1&__req=2&__hs=20538.BP%3Amessengerdotcom_pkg.2.0... Status: N/A; GET https://www.messenger.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__dyn=7xe6E5aQ1PyUbFp41twpUnwgU6C7UW1DxW0SU1nEhw2nVE4W099wooa87i0n24o5-16wf50Fw4Hw9O0M82TwVw9O0Ho2ewnE0Caaw4kwbS1Lw60wr83ew4kwtU7m0O80Gm&__hs=20538.BP%3Amessengerdotcom_pkg.2.0...0&__hsi=7621483491884060758&__jssesw=1&__req=4&__rev=1036008164&__s=d2d5ub%3Abbfq6r%3Ai9h5fw&__spin_b=trunk&__spin_r=1036008164&__spin_t=1774514907&__user=0&dpr=1&jazoest=22459&lsd=AdQq4E5hlL6OcZiRlxwzpzUhE9o0 - Status: N/A
Network: GET https://www.messenger.com/ajax/bootloader-endpoint/?modules=MWForgotPasswordDialog.react&__aaid=0&__user=0&__a=1&__req=2&__hs=20538.BP%3Amessengerdotcom_pkg.2.0...0&dpr=1&__ccg=EXCELLENT&__rev=1036008164&__s=d2d5ub%3Abbfq6r%3Ai9h5fw&__hsi=7621483491884060758&__dyn=7xe6E5aQ1PyUbFp41twpUnwgU6C7UW1DxW0SU1nEhw2nVE4W099wooa87i0n24o5-16wf50Fw4Hw9O0M82TwVw9O0Ho2ewnE0Caaw4kwbS1Lw60wr83ew4kwtU7m0O80Gm&__hsdp=g9tTMT3z1c&__hblp=0no6eam1YwKw9q3e0dOy83kpBQii6k7awpE720CU&__spin_r=1036008164&__spin_b=trunk&__spin_t=1774514907&__jssesw=1 - Status: N/A
+27
27 more issues detected  View all →
Unconsented Cross-Domain Tracking via Messenger Login Endpoi...
AI endpoint instrumentation logged in production console
Excessive number of network requests on page load (92 reques...
and 24 more...
Generated by Testers.AI · Messenger Quality Scan
Unlock All 63 Issues
You're viewing the top 3 issues for Messenger.
Sign up at Testers.AI to access the full report with all 63 detected issues, detailed fixes, and continuous monitoring.
Sign Up at Testers.AI or let us run the tests for you