Latest in Tomorrow

Image credit: SOPA Images via Getty Images

Facebook Messenger bug let other people see who you'd been talking to

The now-fixed flaw pushed Facebook to change the app's interface.
559 Shares
Share
Tweet
Share
Save

Sponsored Links

SOPA Images via Getty Images

In November, researchers discovered a Facebook bug that allowed websites to extract data from users' profiles thanks to a security flaw relating to cross-site frame leakage (CSFL). Today, the same team has revealed a now-patched vulnerability that would let websites expose who you've been chatting to in Facebook Messenger.

In a blog post, Imperva security researcher Ron Masas explains how a CSFL attack could exploit the properties of iFrame elements to determine the state of an application. Running this process through individual Messenger contacts would yield one of two states, full or empty, indicating whether a user had ever communicated with that contact or not. That's essentially the extent of the flaw. It wasn't able to retrieve conversations or pull data from chat histories -- it simply produced binary data with very limited applications for nefarious individuals.

Nonetheless, Masas made Facebook aware of the bug, and given its connection to the previous, more serious flaw, Facebook has since decided to remove all iFrames from the Messenger userface completely. "Browser-based side-channel attacks are still an overlooked subject," Mases writes on the Imperva blog. "While big players like Facebook and Google are catching up, most of the industry is still unaware."

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr