This Facebook Messenger bug exposed who you chat with
Just a day after Mark Zuckerberg's promise of a more private Facebook, security firm Imperva has revealed a vulnerability that marred the platform. The bug, discovered last year, compromised Facebook Messenger and potentially exposed who you had been chatting with. However, Facebook, when informed by the company, took care of the issue. Here's how the bug revealed information about Messenger contacts.
A few months back, Imperva's researchers revealed a 'cross-site request forgery' attack that potentially allowed attackers to access likes, location history, and interests of Facebook users. Now, they have detailed a loosely connected browser-based attack, where hackers could have exploited iFrame properties - used for embedding content like ad/web-pages within web pages - to see who you've been in contact with on Facebook.
Notably, the bug only exposed information about the people the target had been in contact with and if they were in the target's friends list. Except this, no other information was compromised, including the messages involved.
As the bug in question is exploited through a web browser, Imperva says a bad actor could have carried out this attack by baiting a logged-in Facebook user to click on a malicious link. It would have redirected the target to an infected page, where clicking on anything would have allowed the attacker to run queries and see the messenger contacts.
After the issue was reported in November, Facebook tried randomizing iFrame elements to prevent the attack from being carried out. However, the initial fix from the company didn't work and Imperva's researchers were able to redesign their algorithm to extract Messenger contact. Following this, Facebook removed all iFrame elements altogether to mitigate the risk of the issue.
"The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook," a Facebook spokesperson said, adding that they've "updated the web version of Messenger to ensure this browser behavior isn't triggered on our service."
Seeing two attacks of the same kind within months shows that browser-based hacks could see an upward tick in the near future. Imperva's Ron Masas, who flagged this bug, claimed the technique isn't common but can become popular in 2019. "While big players like Facebook and Google are catching up, most of the industry is still unaware," he emphasized in a blog.
The disclosure of this bug also comes just a day after Mark Zuckerberg promised enhanced privacy on Facebook, which has been reeling from scandals like Cambridge Analytica and a massive data breach compromising 30 million people. Essentially, the Facebook boss plans to focus on private communication with a unified infrastructure of WhatsApp, Instagram, and Messenger and features like end-to-end encryption and automatically deleting messages.
