Browser Bug Exposed Facebook Messenger Chat History

first_imgStay on target Facebook Messenger Will Now Let You Delete MessagesFacebook Is Reportedly Integrating Its Social Messaging Apps A now-patched vulnerability in the Web version of Facebook Messenger allowed any website to see who you have been texting.Cybersecurity service Imperva this week reported a so-called “Cross-Site Frame Leakage” (CSFL)—a side-channel attack previously spotted in November.“As happens with applications I regularly use, I felt the need to understand how Facebook Messenger works,” Imperva security researcher Ron Masas wrote in a blog post.AdChoices广告“I started poking around the Messenger Web application and noticed that iFrame elements were dominating the user interface,” he continued. “The chat box, as well as the contact list, were rendered in iFrames, opening the possibility for a CSFL attack.”Testing his theory, Masas found that by recording “full state” and “empty state” data, he could remotely determine whether someone has chatted with a specific person or business.When illustrated as lines (below), you can see a blip in the empty state iFrame count, which signifies zero communication between two users; if contact has been made, the pattern remains steady.And while the glitch doesn’t allow hackers to retrieve individual conversations, it does, as Masas pointed out, violate users’ privacy.He reported the vulnerability to Facebook, which has since removed all iFrames from the Messenger interface completely.“The bug is a browser issue related to how they handle content embedded in webpages, and could affect any site, not just Messenger.com,” a Facebook spokesman told Geek in an email. “We already fixed the issue for Messenger.com last year to safeguard our users and made recommendations to browser makers to prevent this type of issue from happening.”“Browser-based side-channel attacks are still an overlooked subject,” Masas said. “While big players like Facebook and Google are catching up, most of the industry is still unaware.”Imperva researchers in November discovered a similar bug that allowed websites to extract data from Facebook user profiles, thanks to a security flaw relating to cross-site frame leakage.A month later, the social network announced that its internal team found a photo API flaw that could have impacted up to 6.8 million users, and might have allowed third-party apps access to people’s private images.More on Geek.com:Here’s the Secret Password to Unlock Facebook Messenger’s Dark ModeFacebook Messenger Will Now Let You Delete MessagesApple Fixes FaceTime Flaw, Compensates Teen Who Found ItEditor’s note: This article was updated on March 11, with comment from Facebook.last_img

Be the first to comment

Leave a comment

Your email address will not be published.


*