A Bug With Facebook Messenger Revealed Who You Were Talking To

While Facebook is taking a step towards private messages, it hasn’t succeeded in addressing security vulnerabilities.

On Thursday, cybersecurity company Imperva described a flaw with Facebook Messenger allowing potential attackers to see who users were chatting with.

According to researcher Ron Masas that found the flaw, although attackers cannot see the content of the conversations, it’s still dangerous just to know who users were contacting.

Masas added:

Facebook said on the same day that the bug was fixed in December.

A spokesperson from Facebook said that the issue Masas reported is actually the result of the way web browsers process contents embedded in websites, not just Facebook. The spokesperson also stated that Facebook has encouraged browser makers as well as web standard groups to take actions to prevent such problem from arising in other web apps and that the company has updated Messenger’s web version to prevent this issue.

In November last year, Masa also revealed a similar bug with Facebook which let data thieves see what private post you liked and things that your friends liked.

According to Masas, the bug analyzes iFrames – the code that developers use to embed content on web pages, such as YouTube videos. In users’ browsers, a number of iFrames were loaded for people they’ve chatted with and people they’ve never interacted with.

He created a tool to collect data on how many iFrames were loaded, with which he could find out the people someone has been contacting.

The blue line shows you've never chatted with someone on Messenger, the red line shows you did.

The spike in the iFrames load shows the difference

In Masas’ proof-of-concept, he set a video link that users would have to click on for the attack to work, while the victim is distracted by the video, the hacker can draw information. So spying tool in one tab gathers data on iFrames of the Facebook page of the recipient on another tab.

In case a user has never talked to someone on Messenger, iFrames will show a specific drop.

When the researcher first reported to Facebook about the bug on November 29, the company tried randomizing the number of iFrames to fix the flaw. But despite that, there was still a drop in the pattern.

Eventually, Facebook removed iFrames from Messenger completely.

The security hole came right before Mark Zuckerberg's announcement about plans for the future privacy-focused platform with message encryption. However, Masas said encryption cannot stop this bug because it searches for iFrames provided by browsers rather than Facebook. Masas said: