A security researcher has claimed that Facebook Messenger had a security flaw allowing attackers to learn who users have been chatting to in the messaging platform.
Ron Masas, an Imperva security researcher, reveals that a year ago, the company’s researchers discovered that hackers could use “any website to expose who you have been messaging with.”
Masas explains that hackers could know who Messenger users have been talked to by targeting their web browser and exploiting iframe elements. If, for example, the user “sent a message to a bot to order a pizza,” attackers would know.
He went on to say that the vulnerability could harm “high-profile targets to figure out who they’ve had a conversation with.”
With regard to the extent of the security flaw, the researcher says attackers could learn which friends a user contacted and which were not in a user’s contact list. It’s worth noting that potential hackers could not access chat histories or conversations.
The firm reported the said Messenger bug to Facebook back in May, and it was eventually patched.
A Facebook representative told CNET that Masa’s report “stems from the way web browsers handle content embedded in webpages and is not specific to Facebook.”
The spokesperson says they already sent recommendations to relevant web standards groups and browser makers. The goal is to encourage these firms to take measures to prevent this type of issue from happening in other web applications down the line.
Messenger’s web version has already been updated to make sure “this browser behavior isn’t triggered on our service,” the representative added.
This is not the first time the Mark Zuckerberg-led firm has found itself in hot waters. In fact, in December last year, another Facebook vulnerability surfaced, which exposed uploaded but not published photos of nearly 7 million users to over 1,500 apps linked with Facebook. A blog post from the company explains that the bug stemmed from an application program interface error brought by an update.
So what are your thoughts on the above-mentioned Facebook vulnerability? Let us know your thoughts in the comments section below.