This Facebook Messenger bug exposed who you chat with

A few months back, Imperva's researchers revealed a 'cross-site request forgery' attack that potentially allowed attackers to access likes, location history, and interests of Facebook users.

Now, they have detailed a loosely connected browser-based attack, where hackers could have exploited iFrame properties - used for embedding content like ad/web-pages within web pages - to see who you've been in contact with on Facebook.

As the bug in question is exploited through a web browser, Imperva says a bad actor could have carried out this attack by baiting a logged-in Facebook user to click on a malicious link.

It would have redirected the target to an infected page, where clicking on anything would have allowed the attacker to run queries and see the messenger contacts.

After the issue was reported in November, Facebook tried randomizing iFrame elements to prevent the attack from being carried out.

However, the initial fix from the company didn't work and Imperva's researchers were able to redesign their algorithm to extract Messenger contact.

Following this, Facebook removed all iFrame elements altogether to mitigate the risk of the issue.

Seeing two attacks of the same kind within months shows that browser-based hacks could see an upward tick in the near future.

Imperva's Ron Masas, who flagged this bug, claimed the technique isn't common but can become popular in 2019.

"While big players like Facebook and Google are catching up, most of the industry is still unaware," he emphasized in a blog.

The disclosure of this bug also comes just a day after Mark Zuckerberg promised enhanced privacy on Facebook, which has been reeling from scandals like Cambridge Analytica and a massive data breach compromising 30 million people.

Essentially, the Facebook boss plans to focus on private communication with a unified infrastructure of WhatsApp, Instagram, and Messenger and features like end-to-end encryption and automatically deleting messages.