A security researcher has revealed details of a flaw in Facebook Messenger that made it possible for “any website to expose who you have been messaging with.”
Imperva’s Ron Masas, who in the past has identified a bug that allowed unauthorised websites to view Facebook users’ location histories, likes and interests, discovered the flaw in the web version of Facebook Messenger.
Masas discovered a way of exploiting the Messenger website’s use of iFrames to determine who users had been chatting with.
Hackers could potentially put the technique into practice by tricking a user into visiting a link to a malicious webpage. Once there, if the user clicked anywhere on the webpage (perhaps by being duped into clicking on a “play video” button) a new browser window could be opened in the background querying Messenger to determine if the current user has been in contact with specific Facebook Messenger users.
The flaw, which is not present in the app versions of Facebook Messenger, cannot be used to expose the content of conversations – but can be ysed to figure of you who you have been in conversation with. That’s potentially useful information if you are a business rival, intelligence agency, or jealous partner.
Masas reported the security vulnerability to Facebook, and the web version of Messenger was fixed late last year – albeit only after Facebook’s first fix proved to be insufficient:
“Having reported the vulnerability to Facebook under their responsible disclosure program, Facebook mitigated the issue by randomly creating iframe elements, which initially broke my proof of concept. However, after some work, I managed to adapt my algorithm and distinguish between the two states. I shared my finding with Facebook, who decided to completely remove all iframes from the Messenger user interface.”
The revelation of another privacy hole in Facebook comes days after Mark Zuckerberg shared his “privacy-focused vision” for Facebook, WhatsApp, and Instagram (yes, I choked on my cornflakes hearing that from him too…).
The revelation of a privacy flaw, is hardly ideal timing for the social networking giant which is attempting to shake off growing concerns from its billions of users.
But to give them credit, Facebook does appear to have now fixed the bug. Furthermore, in its statement it pointed out that the flaw on its Messenger website was not one that was Facebook-specific:
“The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook. We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behaviour isn’t triggered on our service.”
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.