In November, researchers discovered a Facebook messenger bug that allowed websites to extract data from users’ profiles thanks to a security flaw relating to cross-site frame leakage (CSFL). Today, the same team has revealed a now-patched vulnerability that would let websites expose who you’ve been chatting to in Facebook Messenger.
In a blog post, Imperva security researcher Ron Masas explains how a CSFL attack could exploit the properties of iFrame elements to determine the state of an application. Running this process through individual Messenger contacts would yield one of two states, full or empty, indicating whether a user had ever communicated with that contact or not. That’s essentially the extent of the flaw. It wasn’t able to retrieve conversations or pull data from chat histories — it simply produced binary data with very limited applications for nefarious individuals.
Nonetheless, Masas made Facebook aware of the bug, and given its connection to the previous, more serious flaw, Facebook has since decided to remove all iFrames from the Messenger userface completely. “Browser-based side-channel attacks are still an overlooked subject,” Mases writes on the Imperva blog. “While big players like Facebook and Google are catching up, most of the industry is still unaware.”