Recently, a flaw in the web version of Facebook Messenger was discovered which allowed attackers to see who users chat with. Read on to know more about it…
Recently, Facebook’s CEO, Mark Zuckerberg said that he wants to strengthen the privacy and security of Facebook. Even as Facebook plans to highlight the privacy features of its popular social media platform Facebook and its messenger, it is altogether a different story on the ground.
A security flaw in the web version of Facebook Messenger was discovered recently by cyber-security firm Imperva which reported that it enabled attackers to figure out with whom a user was chatting with. While the flaw is said to have not revealed the contents of a user’s chat, but it enabled potential attackers to know who the person was in contact, and chatting with. Facebook said that it patched the flaw in December last year.
“The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook,” a Facebook spokesperson told CNET. “We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behaviour isn’t triggered on our service.” Ron Masas, a security researcher at Masas who discovered the vulnerability, said that this
vulnerability was exploited using browser-based side-channel attacks, which “are still an overlooked subject, while big players like Facebook and Google are catching up, most of the industry is still unaware.”
The flaw existed in the desktop website of Facebook Messenger. The iframe elements in the website could be exploited by attackers to determine who the users chat with. In a recent incident, Ron Masas, a security researcher at Imperva discovered a security bug in the platform’s messaging website Messenger. This flaw was found in the application’s desktop website. Attackers could insert malicious links which upon clicking, would allow them to see users’ conversations.
Masas detailed the bug in a blog post and it apparently stems from the use of iFrames, which are Inline Frame codes to embed content from pages like YouTube. Analysing the number of iFrames being loaded, the researcher was able to figure out with whom a user was having conversations. This was done via a tool that he developed but for it to work, a user would need to be led to it. The tool would look for a dip in the number of iFrames, which happened in case you’ve never had a conversation with someone on Facebook. Dip in the iFrame count revealing user had a conversation with someone (top) vs stable iFrame count (bottom) for someone a user didn’t have a conversation with.
Ron Masas noticed that the web application of Messenger used iframe elements to power the user interface. He found that these iframes could be used to get information about the ‘states’ which can give clues about the users’ conversations in Messenger. The number of iframes changed every time a user contacted another user through Messenger. Due to this reason, attackers could trick users into clicking malicious webpages where they would distract the users while they execute the exploit in the background tab of Messenger.
To execute the exploit, the attacker would reload Messenger in the background and count the number of iframes in the page which tells us whether they have been chatting with specific users. Thus, attackers can perform a Cross-Site Frame Leakage attack which is a type of side-channel attack on the end user’s browser. However, attackers cannot expose the complete content of the conversation.