The flaw is in a browser code included on the messaging service
Facebook is making some changes to its messaging services, although this could backfire on the process. According to experts in network security of the International Institute of Cyber Security, a flaw on Facebook would have allowed malicious actors to know who to chat with a user via Facebook Messenger.
Although the flaw does not reveal the content of the conversations, knowing which chats you write more frequently for a user could be detrimental to your privacy, mentions the network security expert who discovered the vulnerability.
According to the social network, the vulnerability in question was corrected last December. “The problem lies in how browsers manage embedded content in web pages, this flaw is not inherent to Facebook”, mentions a social network security alert. Web browser managers have already received a number of recommendations to prevent the failure from being exploited again in the future.
Vulnerability is exploited when analyzing iFrames (code used to attach content, videos on YouTube pages, for example). Facebook Messenger loads a specific number of iframes for the people with whom a user has interacted and for the people with whom he never speaks for this service.
Network security experts developed a tool to detect the number of loaded iframes in order to find out the most frequent contacts of a Facebook Messenger user.
The success of the attack depends on the victim clicking on a link that redirects to the website where the investigator’s tool is located; for the proof of concept, the attackers embedded the link in a video.
Facebook corrected the vulnerability by eliminating iFrames from Messenger completely. The revelation of this vulnerability comes one day after Mark Zuckerberg, CEO of Facebook, announced his plans regarding privacy in Facebook Messenger, which focus on the encryption of communications in this platform.
However, the specialists add that the encryption would not serve to correct a vulnerability like this, because iFrames is a function added by the browsers, not by Facebook. “These data were filtered on the client side. encryption would not affect this vulnerability”, experts added.