Facebook CEO Mark Zuckerberg recently said he wanted his company to focus on “privacy-focused” communications, but a cybersecurity company revealed on Thursday (Mar. 7) that Facebook Messenger had a serious flaw that allowed potential attackers to know who users were chatting with, according to reports.
The company, Imperva, said the bug didn’t show message content, but that just the knowledge of the message recipients could threaten a person’s privacy.
“It could be sent to high-profile targets to figure out who they’ve had a conversation with,” said Ron Masas, the researcher who discovered the issue. “If you sent a message to a bot to order pizzas, I would know.”
Facebook said the privacy bug was fixed in December.
“The issue in this report stems from the way web browsers handle content embedded in web pages and is not specific to Facebook,” a Facebook spokesperson said. “We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behavior isn’t triggered on our service.”
The vulnerability worked by looking at iFrames, which is the code employed to embed things like YouTube videos on a page. Messenger would display a specific number of iFrames for conversations, for people users had chatted with as well as others.
Masas found that if he could figure out the number of iFrames that loaded, he could figure out who someone had been in touch with. In order to get that data, a victim would have to click on something that would lead to Masas’ tool, such as a video, that would keep them distracted while their data was stolen.
Masas stressed that encryption wouldn’t even fix the problem – even as Zuckerberg said he wanted to focus on encrypted messaging – because iFrames comes from the browser side. “This data was leaked over the client side. In terms of encryption, it’s not really going to affect this,” he said.