Highlights:
Facebook’s Mark Zuckerberg recently said that he wants to better secure the social media platform. Even if the company’s plans do come to fruition and, hopefully, we get to see a more secure Facebook, it is not completely impervious to vulnerabilities and flaws. The cyber security firm Imperva recently reported of a vulnerability in the web version of Facebook Messenger, which enabled any website to see who you have been chatting with. While the flaw is said to have not revealed the contents of a user’s chat, but it enabled potential attackers to know who the person was in contact, and chatting with. Facebook said that it patched the flaw in December last year.
"The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook," a Facebook spokesperson told CNET. "We've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we've updated the web version of Messenger to ensure this browser behaviour isn't triggered on our service." Ron Masas, a security researcher at Masas who discovered the vulnerability, said that this vulnerability was exploited using browser-based side-channel attacks, which “are still an overlooked subject, while big players like Facebook and Google are catching up, most of the industry is still unaware.”
Masas detailed the bug in a blog post and it apparently stems from the use of iFrames, which are Inline Frame codes to embed content from pages like YouTube. Analysing the number of iFrames being loaded, the researcher was able to figure out with whom a user was having conversations. This was done via a tool that he developed but for it to work, a user would need to be led to it. The tool would look for a dip in the number of iFrames, which happened in case you’ve never had a conversation with someone on Facebook.
Dip in the iFrame count revealing user had a conversation with someone (top) vs stable iFrame count (bottom) for someone a user didn't have a conversation with
Related Reads: