As Mark Zuckerberg’s privacy parade carries on, a researcher has revealed his findings of a since-patched Facebook vulnerability in Messenger that could potentially expose information about who users had been communicating with.
Cybersecurity software company Imperva—which previously identified another bug that allowed websites to see Facebook users’ “likes,” location history, and interests—shared its report on the vulnerability in a blog post by researcher Ron Masas on Thursday. Using a users’ browser, a hacker could potentially exploit iframe properties to see who that user had been chatting with on Messenger.
Masas said a hacker could do this by essentially baiting a Messenger user to click on a bad link to a malicious site. Once they clicked anywhere on the page, a new window would open—potentially out of view of the user—and allow the hacker to probe whether the user had been or had not been in conversation with other Facebook users on Messenger. After Masas flagged the issue to Facebook the first time, he was able to get around the company’s initial fix:
Having reported the vulnerability to Facebook under their responsible disclosure program, Facebook mitigated the issue by randomly creating iframe elements, which initially broke my proof of concept. However, after some work, I managed to adapt my algorithm and distinguish between the two states. I shared my finding with Facebook, who decided to completely remove all iframes from the Messenger user interface.
The company noted that the issue is not specific to its platform but confirmed that it has indeed updated its code and removed iframes from its Messenger web app.
“The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook,” a Facebook spokesperson said in a statement to Gizmodo. “We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behavior isn’t triggered on our service.”
It’s of course an interesting week for such news to arrive, as it collides with Zuckerberg’s “privacy”-focused vision for the unholy union of WhatsApp, Facebook, and Instagram. Zuckerberg wrote in an extraordinarily long Facebook post this week that he believes “a privacy-focused communications platform will become even more important than today’s open platforms. Privacy gives people the freedom to be themselves and connect more naturally, which is why we build social networks.” And yet.
It’s worth noting that while still a privacy issue, the vulnerability doesn’t seem to unload any other details related to chats themselves other than whether a user was in communication with another user or bot. But as Masas noted, “Browser-based side-channel attacks are still an overlooked subject, while big players like Facebook and Google are catching up, most of the industry is still unaware.”