Facebook vulnerability in Messenger revealed who you were chatting with

By Digit NewsDesk | Published on Mar 09 2019
Facebook vulnerability in Messenger revealed who you were chatting with

The social media company patched the bug back in December last year.

Make your home smarter than the average home

Make your life smarter, simpler, and more convenient with IoT enabled TVs, speakers, fans, bulbs, locks and more.

Click here to know more


  • A flaw in the web version of Facebook Messenger was discovered. 
  • It could enable attackers to figure out with whom a user was chatting with. 
  • The vulnerability has been patched by Facebook. 


Facebook’s Mark Zuckerberg recently said that he wants to better secure the social media platform. Even if the company’s plans do come to fruition and, hopefully, we get to see a more secure Facebook, it is not completely impervious to vulnerabilities and flaws. The cyber security firm Imperva recently reported of a vulnerability in the web version of Facebook Messenger, which enabled any website to see who you have been chatting with. While the flaw is said to have not revealed the contents of a user’s chat, but it enabled potential attackers to know who the person was in contact, and chatting with. Facebook said that it patched the flaw in December last year. 

"The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook," a Facebook spokesperson told CNET. "We've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we've updated the web version of Messenger to ensure this browser behaviour isn't triggered on our service." Ron Masas, a security researcher at Masas who discovered the vulnerability, said that this vulnerability was exploited using browser-based side-channel attacks, which “are still an overlooked subject, while big players like Facebook and Google are catching up, most of the industry is still unaware.”

Masas detailed the bug in a blog post and it apparently stems from the use of iFrames, which are Inline Frame codes to embed content from pages like YouTube. Analysing the number of iFrames being loaded, the researcher was able to figure out with whom a user was having conversations. This was done via a tool that he developed but for it to work, a user would need to be led to it. The tool would look for a dip in the number of iFrames, which happened in case you’ve never had a conversation with someone on Facebook. 

Dip in the iFrame count revealing user had a conversation with someone (top) vs stable iFrame count (bottom) for someone a user didn't have a conversation with 

Related Reads:

Mark Zuckerberg envisions, promises privacy-focused social networking, explains Facebook’s future plans in a 3200-word letter

Digit NewsDesk

The guy who answered the question 'What are you doing?' with 'Nothing'.

Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit in continues the legacy of Thinkdigit.com as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.

We are about leadership-the 9.9 kind! Building a leading media company out of India.And,grooming new leaders for this promising industry.