Facebook bug allowed attackers to change Messenger content

And I thought you were my friend…

David Bisson
@DMBisson

Facebook recently patched a vulnerability that allowed attackers to change the content of their messages sent via the Android Messenger app.

On Tuesday, Check Point security researcher Roman Zaikin published a blog post in which he outlines the details of the bug:

“The vulnerability allows a malicious user to change conversation thread in the Facebook Online Chat & Messenger App. By abusing this vulnerability, it is possible to modify or remove any sent message, photo, file, link, and much more.”

Sign up to our newsletter
Security news, advice, and tips.

Not just anyone could exploit the vulnerability. Only people who were already part of a conversation and who had used proxy servers or malware to discover a message’s ID number could mess around with their Messenger content.

The Messenger website also logs each of its conversations with original messages, meaning a user could access the original text of the conversation in another version of Messenger.

These limitations notwithstanding, Zaikin argues an attacker could leverage the vulnerability to manipulate message history to commit fraud, to hide potentially illegal content, or to incriminate others.

They could even deliver malware to unsuspecting victims, as the researcher notes:

“An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest C&C address, and keep the phishing scheme up to date.”

A demonstration of this exploit can be viewed below:

Check Point reported the flaw to Facebook’s security teams, who patched the vulnerability in early May.

The social networking site has since published a blog post about the bug in which it challenges several of Zaikin’s findings, including the idea that an attacker could have exploited the vulnerability to manipulate any message’s content or to distribute malware:

“Content could have only been adjusted by the person who sent the message. The bug did not provide the ability to change someone else’s messages…. [And] [b]ecause even new content was subject to our anti-malware and anti-spam filters, this bug did not introduce the ability to send malicious content that would have been blocked in the original message.”

Trust goes a long way towards protecting yourself against digital attacks on social media. With that in mind, it’s a good idea to not add any connections or friends whom you don’t already know or trust.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.