Facebook Messenger Bug Might Have Exposed Your Chat Partner

Facebook-related issues seem neverending.

A researcher has just revealed his findings of a Facebook vulnerability in Messenger which has been patched now. This could potentially expose data about who you have been chatting with on the app.

Your chat partner might have been revealed 

Gizmodo reveals that cybersecurity software company Imperva has shared its report on the vulnerability in an official blog post by researcher Rom Masas.

It seems that via a user’s browser,  a hacker could potentially exploit iframe properties in order to see who the user has been chatting with on Facebook’s Messenger.

According to Masas, a hacker would be able to do this by baiting Messenger users to click on a bad link that leads to a malicious site.

After the user clicks anywhere on the page, a new window opens, and it may be out of the view of the user.

This would allow the hacker to probe whether the user has been into a conversation with other Facebook users on Messenger.

Getting around Facebook’s original fix 

Masas flagged the issue to Facebook, and he was able to get around the company’s fix:

“Having reported the vulnerability to Facebook under their responsible disclosure program, Facebook mitigated the issue by randomly creating iframe elements, which initially broke my proof of concept. However, after some work, I managed to adapt my algorithm and distinguish between the two states. I shared my finding with Facebook, who decided to completely remove all iframes from the Messenger user interface.”

Facebook has since noted that such issue is not specific to the platform, but they confirmed that it has updated the code and removed inframes from its Messager app.

“We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behavior isn’t triggered on our service,” a spokesperson reportedly told Gizmodo.

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *