Facebook Messenger bug revealed who you had conversations with
facebook is making a big shift to private messages, but it's not immune to security vulnerabilities.
The security bug didn't show the content of the messages, but just knowing who you were in touch with has the potential to harm your privacy, said Ron Masas, the security researcher who discovered the vulnerability.
“It could be sent to high-profile targets to figure out who they've had a conversation with,” Masas said. “If you sent a message to a bot to order pizzas, I would know.”
Facebook said Thursday it fixed the bug in December.
“The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook,” a Facebook spokesperson said. “We've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we've updated the web version of Messenger to ensure this browser behavior isn't triggered on our service.”
Masas had also detailed a similar Facebook bug in November, where data thieves could see private posts you've liked and what your friends have liked.
The bug worked by analyzing iFrames the code used to embed content like YouTube videos on pages. In your browser, Messenger loaded a specific number of iFrames for people you've had a conversation with and people you've never talked to, Masas said.
The security researcher developed a tool that'd report the number of iFrames loaded, and with that data, he could figure out who someone has been in touch with.
For the attack to work, the victim would have to click on a link leading to Masas' tool. In his proof-of-concept, he set the trap link as a video, so that unsuspecting victims would be distracted while that data was siphoned off.
So in one tab, you'd have the spying tool gathering data on iFrames of the recipient's Facebook page on another tab.
“The original tab can ask the browser how many iFrames another tab has,” Masas said. “It looks for this pattern that indicates whether or not you've had a conversation with a person.”
That pattern was a specific drop in iFrames if you've never spoken with somebody on Messenger.
The blue line indicates you never spoke with someone on Facebook Messenger. The red line means you did. That spike in the iFrames load indicates the difference.