Latest in Tomorrow

Image credit: SOPA Images via Getty Images

Facebook Messenger bug let other people see who you'd been talking to

The now-fixed flaw pushed Facebook to change the app's interface.
559 Shares
Share
Tweet
Share
Save

Sponsored Links

SOPA Images via Getty Images

In November, researchers discovered a Facebook bug that allowed websites to extract data from users' profiles thanks to a security flaw relating to cross-site frame leakage (CSFL). Today, the same team has revealed a now-patched vulnerability that would let websites expose who you've been chatting to in Facebook Messenger.

In a blog post, Imperva security researcher Ron Masas explains how a CSFL attack could exploit the properties of iFrame elements to determine the state of an application. Running this process through individual Messenger contacts would yield one of two states, full or empty, indicating whether a user had ever communicated with that contact or not. That's essentially the extent of the flaw. It wasn't able to retrieve conversations or pull data from chat histories -- it simply produced binary data with very limited applications for nefarious individuals.

Nonetheless, Masas made Facebook aware of the bug, and given its connection to the previous, more serious flaw, Facebook has since decided to remove all iFrames from the Messenger userface completely. "Browser-based side-channel attacks are still an overlooked subject," Mases writes on the Imperva blog. "While big players like Facebook and Google are catching up, most of the industry is still unaware."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
559 Shares
Share
Tweet
Share
Save

Popular on Engadget

Mazda will show off its first EV at the Tokyo Motor Show

Mazda will show off its first EV at the Tokyo Motor Show

View
US Senators ask the FCC to review licenses with China-owned telecoms

US Senators ask the FCC to review licenses with China-owned telecoms

View
Verizon could carry OnePlus phones beginning in 2020

Verizon could carry OnePlus phones beginning in 2020

View
Pokémon’s New York-inspired monsters join 'Pokémon Go' today

Pokémon’s New York-inspired monsters join 'Pokémon Go' today

View
FCC approves Nexstar’s $6.4 billion acquisition of Tribune Media

FCC approves Nexstar’s $6.4 billion acquisition of Tribune Media

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr