A new vulnerability has hit the web version of Facebook Messenger. According to cyber-security firm Imperva, the Facebook Messenger vulnerability exposes the names of the the people users have been chatting with using the app.
Imperva is credited with revealing a number of security flaws on the web, including one that allowed malicious websites to access users’ Facebook data to see their likes, location history and interests. This new Facebook Messenger vulnerability is somewhat less serious, although it could still be dangerous. Imperva researcher Ron Masas explained in a blog post how the exploit works.
Hackers set a clickbait trap to attract naive Messenger users on the web version of the app. When victims click the link, it redirects them to a malicious website which enables the hackers to exploit certain iframe element properties. This enables them to see the names of the people the user has been communicating with on Messenger. Masas informed Facebook of the issue, and the company issued a fix. However, he was even able to get around that.
“Having reported the vulnerability to Facebook under their responsible disclosure program, Facebook mitigated the issue by randomly creating iframe elements, which initially broke my proof of concept,” Masas wrote. “However, after some work, I managed to adapt my algorithm and distinguish between the two states. I shared my finding with Facebook, who decided to completely remove all iframes from the Messenger user interface.”
“The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook,” a Facebook spokesperson told Gizmodo. “We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behavior isn’t triggered on our service.”
Facebook CEO Mark Zuckerberg recently wrote about his vision for a united version of WhatsApp, Messenger and Instagram, stressing how uniting them should improve users’ perception of privacy. He explained his idea in a lengthy Facebook post, adding that he believes “a privacy-focused communications platform will become even more important than today’s open platforms.”
“Privacy gives people the freedom to be themselves and connect more naturally, which is why we build social networks,” he added.
However, the company’s push to combine the three social networks has already hit obstacles from regulators and lawmakers on both sides of the Atlantic Ocean.
2/2 — Imagine how different the world would be if Facebook had to compete with Instagram and WhatsApp. That would have encouraged real competition that would have promoted privacy and benefited consumers.
— Rep. Ro Khanna (@RepRoKhanna) January 25, 2019
If privacy really is a major focus of tech companies like Facebook, then it’s worth questioning why security flaws, data breaches and leaks have become routine in the last few years. Fortunately, the recently-discovered Facebook Messenger vulnerability doesn’t expose the actual conversations two users were having. The only data it exposed was whether the affected user has been messaging with specific people or businesses via the platform. Although this doesn’t sound like much, it demonstrates again how can easily hackers can obtain information about people without their knowledge.
“Browser-based side-channel attacks are still an overlooked subject, while big players like Facebook and Google are catching up, most of the industry is still unaware,” Masas wrote.