A previous Facebook Messenger vulnerability once allowed others to unlock contacts and chat histories from strangers’ accounts…
Back in November, security researched uncovered a bug affecting Facebook which allowed websites to extract user data. It exploited a means known as “cross-site frame leakage” or CSFL. Now, the same team has found another vulnerability which lets websites expose users’ chats in Messenger.
Facebook Messenger Vulnerability Exposes Chat Histories
The problem has already been remedied and it doesn’t seem necessarily serious. The company who identified the flaw, Imperva, explains the details in a blog post.
It would use a CSFL attack to exploit the properties of iFrame elements in order to determine the state of a given mobile application.
Running the process through the Facebook Messenger client would ultimately result in one of two outcomes — full or empty. Each reveals whether a user communicated with a specific contact or did not.
Tech jargon aside, it couldn’t retrieve conversations or even pull data from users’ chat histories. It only produced binary data with very narrow applications for nefarious persons.
The company revealed the bug to Facebook. As a result, the social network removed all iFrames from Messenger.
Security researcher Ron Masas wrote, “Browser-based side-channel attacks are still an overlooked subject. While big players like Facebook and Google are catching up, most of the industry is still unaware.”