- A flaw in the web version of Facebook Messenger was discovered.
- It could enable attackers to figure out with whom a user was chatting with.
- The vulnerability has been patched by Facebook.
Facebook’s Mark Zuckerberg recently said that he wants to better secure the social media platform. Even if the company’s plans do come to fruition and, hopefully, we get to see a more secure Facebook, it is not completely impervious to vulnerabilities and flaws. The cyber security firm Imperva recently reported of a vulnerability in the web version of Facebook Messenger, which enabled any website to see who you have been chatting with. While the flaw is said to have not revealed the contents of a user’s chat, but it enabled potential attackers to know who the person was in contact, and chatting with. Facebook said that it patched the flaw in December last year.
"The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook," a Facebook spokesperson told CNET. "We've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we've updated the web version of Messenger to ensure this browser behaviour isn't triggered on our service." Ron Masas, a security researcher at Masas who discovered the vulnerability, said that this vulnerability was exploited using browser-based side-channel attacks, which “are still an overlooked subject, while big players like Facebook and Google are catching up, most of the industry is still unaware.”
Reliance Jio surpases Airtel to become the second largest telecom operator in India
Indian techie awarded $30,000 for finding flaw in Instagram
Twitter launches ‘Hide Replies’ feature to give you more control over your conversations
Facebook hires former Vine head, may work on TikTok competitor Lasso
Amazon Echo Dot (3rd Gen) receives price cut in India ahead of Prime day 2019
Masas detailed the bug in a blog post and it apparently stems from the use of iFrames, which are Inline Frame codes to embed content from pages like YouTube. Analysing the number of iFrames being loaded, the researcher was able to figure out with whom a user was having conversations. This was done via a tool that he developed but for it to work, a user would need to be led to it. The tool would look for a dip in the number of iFrames, which happened in case you’ve never had a conversation with someone on Facebook.
Dip in the iFrame count revealing user had a conversation with someone (top) vs stable iFrame count (bottom) for someone a user didn't have a conversation with