Facebook vulnerability in Messenger revealed who you were chatting with

By Digit NewsDesk | Updated 9 Mar 2019
Facebook vulnerability in Messenger revealed who you were chatting with
  • The social media company patched the bug back in December last year.

Highlights:

  • A flaw in the web version of Facebook Messenger was discovered. 
  • It could enable attackers to figure out with whom a user was chatting with. 
  • The vulnerability has been patched by Facebook. 

 

advertisements


Facebook’s Mark Zuckerberg recently said that he wants to better secure the social media platform. Even if the company’s plans do come to fruition and, hopefully, we get to see a more secure Facebook, it is not completely impervious to vulnerabilities and flaws. The cyber security firm Imperva recently reported of a vulnerability in the web version of Facebook Messenger, which enabled any website to see who you have been chatting with. While the flaw is said to have not revealed the contents of a user’s chat, but it enabled potential attackers to know who the person was in contact, and chatting with. Facebook said that it patched the flaw in December last year. 

"The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook," a Facebook spokesperson told CNET. "We've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we've updated the web version of Messenger to ensure this browser behaviour isn't triggered on our service." Ron Masas, a security researcher at Masas who discovered the vulnerability, said that this vulnerability was exploited using browser-based side-channel attacks, which “are still an overlooked subject, while big players like Facebook and Google are catching up, most of the industry is still unaware.”

Masas detailed the bug in a blog post and it apparently stems from the use of iFrames, which are Inline Frame codes to embed content from pages like YouTube. Analysing the number of iFrames being loaded, the researcher was able to figure out with whom a user was having conversations. This was done via a tool that he developed but for it to work, a user would need to be led to it. The tool would look for a dip in the number of iFrames, which happened in case you’ve never had a conversation with someone on Facebook. 

advertisements

Dip in the iFrame count revealing user had a conversation with someone (top) vs stable iFrame count (bottom) for someone a user didn't have a conversation with 

Related Reads:

Mark Zuckerberg envisions, promises privacy-focused social networking, explains Facebook’s future plans in a 3200-word letter

advertisements
advertisements
Digit NewsDesk
The guy who answered the question 'What are you doing?' with 'Nothing'.
advertisements
ASK DIGIT

Recent Questions

best video calling app with chatting functoin ....
Aditya Malpure
Aug 31, 2014
Responses 1
Vivek Bhatt
Sept 2, 2014
Comments
Be the first one to post the comment
Post a New Comment
You must be signed in to post a comment
advertisements