Facebook Messenger bug made it possible for hackers to see who you have been chatting with

Want to keep who you chat with private? Be careful…

Facebook Messenger bug made it possible for hackers to see who you have been chatting with

A security researcher has revealed details of a flaw in Facebook Messenger that made it possible for “any website to expose who you have been messaging with.”

Imperva’s Ron Masas, who in the past has identified a bug that allowed unauthorised websites to view Facebook users’ location histories, likes and interests, discovered the flaw in the web version of Facebook Messenger.

Masas discovered a way of exploiting the Messenger website’s use of iFrames to determine who users had been chatting with.

Sign up to our free newsletter.
Security news, advice, and tips.

Hackers could potentially put the technique into practice by tricking a user into visiting a link to a malicious webpage. Once there, if the user clicked anywhere on the webpage (perhaps by being duped into clicking on a “play video” button) a new browser window could be opened in the background querying Messenger to determine if the current user has been in contact with specific Facebook Messenger users.

Diagram

The flaw, which is not present in the app versions of Facebook Messenger, cannot be used to expose the content of conversations – but can be ysed to figure of you who you have been in conversation with. That’s potentially useful information if you are a business rival, intelligence agency, or jealous partner.

Masas reported the security vulnerability to Facebook, and the web version of Messenger was fixed late last year – albeit only after Facebook’s first fix proved to be insufficient:

“Having reported the vulnerability to Facebook under their responsible disclosure program, Facebook mitigated the issue by randomly creating iframe elements, which initially broke my proof of concept. However, after some work, I managed to adapt my algorithm and distinguish between the two states. I shared my finding with Facebook, who decided to completely remove all iframes from the Messenger user interface.”

The revelation of another privacy hole in Facebook comes days after Mark Zuckerberg shared his “privacy-focused vision” for Facebook, WhatsApp, and Instagram (yes, I choked on my cornflakes hearing that from him too…).

The revelation of a privacy flaw, is hardly ideal timing for the social networking giant which is attempting to shake off growing concerns from its billions of users.

But to give them credit, Facebook does appear to have now fixed the bug. Furthermore, in its statement it pointed out that the flaw on its Messenger website was not one that was Facebook-specific:

“The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook. We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behaviour isn’t triggered on our service.”


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.