Home Technology Software Facebook Messenger Bug Let People See Who You’ve Been Talking To

Facebook Messenger Bug Let People See Who You’ve Been Talking To

Facebook Messenger Bug Let People See Who You've Been Talking To - Surge Zirc SA
KIEV, UKRAINE – 2018/08/31: The Facebook Messenger logo seen displayed on a smart phone. (Photo by Igor Golovniov/SOPA Images/LightRocket via Getty Images)

In November, researchers discovered a Facebook messenger bug that allowed websites to extract data from users’ profiles thanks to a security flaw relating to cross-site frame leakage (CSFL). Today, the same team has revealed a now-patched vulnerability that would let websites expose who you’ve been chatting to in Facebook Messenger.

In a blog post, Imperva security researcher Ron Masas explains how a CSFL attack could exploit the properties of iFrame elements to determine the state of an application. Running this process through individual Messenger contacts would yield one of two states, full or empty, indicating whether a user had ever communicated with that contact or not. That’s essentially the extent of the flaw. It wasn’t able to retrieve conversations or pull data from chat histories — it simply produced binary data with very limited applications for nefarious individuals.

READ MORE: Honda Soon To Open Pre-Order For Its Tiny ‘E Prototype’ For Us Only

Nonetheless, Masas made Facebook aware of the bug, and given its connection to the previous, more serious flaw, Facebook has since decided to remove all iFrames from the Messenger userface completely. “Browser-based side-channel attacks are still an overlooked subject,” Mases writes on the Imperva blog. “While big players like Facebook and Google are catching up, most of the industry is still unaware.”

Surge It


Please enter your comment!
Please enter your name here