Ron Masas, a researcher from cybersecurity company Imperva has detailed how a security vulnerability in Facebook Messenger could have been exploited by hackers to find out who a particular person has been talking to. Facebook was alerted about the bug in November and fixed it by the end of the next month. The issue only affected the browser version of Messenger and not the mobile app for Android and iOS.
The uncommon attack would have enabled cybercriminals to exploit iFrame elements on a web browser to find out who their target communicates with using Facebook's messaging service and which users are not on the contact list. An iFrame is basically the code used by browsers to embed content on pages.
To launch the attack, the hacker would have to lure an unsuspecting user into visiting a malicious website and then clicking anywhere on it while they are logged into Facebook on another tab. This would have enabled cybercriminals to siphon off personal data by running queries on a new Facebook tab, unbeknownst to the target. By working out how many iFrames have been loaded, the hacker would have been able to figure out who a particular person has been sending messages to. Moreover, the bug could also find out who you have never spoken to via Messenger by analyzing the iFrame binary stream. So, if someone was never spoken to, this would be reflected with a specific drop in iFrames.
When the bug was first flagged to Facebook, the social media giant responded by randomizing the number of iFrames. However, this didn't work as the aforementioned drop in the pattern was still there. This compelled Facebook to change the interface of the Messenger and it completely removed iFrames.
Imperva has confirmed that the security flaw couldn't grant hackers access to the content of the messages, which is a little reassuring. However, it could have still put power users at a risk. For its part, Facebook appreciates Masas for finding the bug but at the same time, it absolves itself of any responsibility by stating that the issue was related to the way web browsers handle embedded content.
Previously, Masas had unearthed a similar bug which let hackers see users' likes, interests, and location history. That flaw was also linked to cross-site frame leakage (CSFL). Recently, Facebook's CEO Mark Zuckerberg announced plans to focus on encrypted messaging to step up the privacy of his platform. However, Masas says that the bug he has identified is impervious to encryption as it uses iFrames to extract information.
He went on to say that browser-based attacks should be taken more seriously and while top guns such as Facebook and Google are now catching up, others in the industry are still behind. He also warned that the technique can increasingly be used in 2019 by nefarious actors as it's not traceable. To prevent data breaches, steps would have to be taken by browser makers and web standard groups. Moreover, web application makers should also do a security audit to remove any vulnerability that can make their users susceptible to such an attack.