Facebook Messenger exposed who you'd been chatting with

Science

08 Mar 2019

This Facebook Messenger bug exposed who you chat with

Just a day after Mark Zuckerberg's promise of a more private Facebook, security firm Imperva has revealed a vulnerability that marred the platform.

The bug, discovered last year, compromised Facebook Messenger and potentially exposed who you had been chatting with.

However, Facebook, when informed by the company, took care of the issue.

Here's how the bug revealed information about Messenger contacts.

Issue

Browser-based iFrame attack to extract Messenger contacts

Browser-based iFrame attack to extract Messenger contacts

A few months back, Imperva's researchers revealed a 'cross-site request forgery' attack that potentially allowed attackers to access likes, location history, and interests of Facebook users.

Now, they have detailed a loosely connected browser-based attack, where hackers could have exploited iFrame properties - used for embedding content like ad/web-pages within web pages - to see who you've been in contact with on Facebook.

However, contact info is the only thing the bug exposed

Notably, the bug only exposed information about the people the target had been in contact with and if they were in the target's friends list. Except this, no other information was compromised, including the messages involved.

Love Tech news?

Stay updated with the latest happenings.

Yes, notify Me

Attack

And, the attack vector is pretty similar

As the bug in question is exploited through a web browser, Imperva says a bad actor could have carried out this attack by baiting a logged-in Facebook user to click on a malicious link.

It would have redirected the target to an infected page, where clicking on anything would have allowed the attacker to run queries and see the messenger contacts.

Fix

Facebook patched issue as it was flagged

Facebook patched issue as it was flagged

After the issue was reported in November, Facebook tried randomizing iFrame elements to prevent the attack from being carried out.

However, the initial fix from the company didn't work and Imperva's researchers were able to redesign their algorithm to extract Messenger contact.

Following this, Facebook removed all iFrame elements altogether to mitigate the risk of the issue.

Here's what Facebook said on the issue

"The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook," a Facebook spokesperson said, adding that they've "updated the web version of Messenger to ensure this browser behavior isn't triggered on our service."

Possibility

Such attacks could increase with time

Seeing two attacks of the same kind within months shows that browser-based hacks could see an upward tick in the near future.

Imperva's Ron Masas, who flagged this bug, claimed the technique isn't common but can become popular in 2019.

"While big players like Facebook and Google are catching up, most of the industry is still unaware," he emphasized in a blog.

Privacy focus

Also, Facebook wants to focus on privacy now

Also, Facebook wants to focus on privacy now

The disclosure of this bug also comes just a day after Mark Zuckerberg promised enhanced privacy on Facebook, which has been reeling from scandals like Cambridge Analytica and a massive data breach compromising 30 million people.

Essentially, the Facebook boss plans to focus on private communication with a unified infrastructure of WhatsApp, Instagram, and Messenger and features like end-to-end encryption and automatically deleting messages.

Share this timeline

Share this timeline

Ask NewsBytes
User Image

Most asked questions

Is this bug still active?

Did this issue reveal personal messages?

Are there any other bugs in Faacebook?

Will Facebook merge Messenger and WhatsApp?

More questions

Is this bug still active?

Asked 2019-03-08 13:32:56 by Arjun Kapoor

Answered by NewsBytes

The issue is not active and was fixed all the way back in November.

Did this issue reveal personal messages?

Asked 2019-03-08 13:32:56 by Hansika Verma

Answered by NewsBytes

No, it didn't reveal personal messages; only the name of people you've been talking to.

Are there any other bugs in Faacebook?

Asked 2019-03-08 13:32:56 by Diya Powar

Answered by NewsBytes

No, this appears to be the only issue at present.

Will Facebook merge Messenger and WhatsApp?

Asked 2019-03-08 13:32:56 by Ishan Verma

Answered by NewsBytes

Yes, the company plans to merge the underlying infrastructure of the platforms.

Next Timeline