Facebook Messenger Bug Exposes User Chat History

Messenger Bug Lets Others See Your Chat History

Facebook CEO Mark Zuckerberg recently said he wanted his company to focus on “privacy-focused” communications, but a cybersecurity company revealed on Thursday (Mar. 7) that Facebook Messenger had a serious flaw that allowed potential attackers to know who users were chatting with, according to reports.

The company, Imperva, said the bug didn’t show message content, but that just the knowledge of the message recipients could threaten a person’s privacy.

"It could be sent to high-profile targets to figure out who they've had a conversation with," said Ron Masas, the researcher who discovered the issue. "If you sent a message to a bot to order pizzas, I would know."

Facebook said the privacy bug was fixed in December.

"The issue in this report stems from the way web browsers handle content embedded in web pages and is not specific to Facebook," a Facebook spokesperson said. "We've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we've updated the web version of Messenger to ensure this browser behavior isn't triggered on our service."

The vulnerability worked by looking at iFrames, which is the code employed to embed things like YouTube videos on a page. Messenger would display a specific number of iFrames for conversations, for people users had chatted with as well as others.

Masas found that if he could figure out the number of iFrames that loaded, he could figure out who someone had been in touch with. In order to get that data, a victim would have to click on something that would lead to Masas’ tool, such as a video, that would keep them distracted while their data was stolen.

Masas stressed that encryption wouldn’t even fix the problem – even as Zuckerberg said he wanted to focus on encrypted messaging – because iFrames comes from the browser side. "This data was leaked over the client side. In terms of encryption, it's not really going to affect this," he said.



Banks, corporates and even regulators now recognize the imperative to modernize — not just digitize —the infrastructures and workflows that move money and data between businesses domestically and cross-border.

Together with Visa, PYMNTS invites you to a month-long series of livestreamed programs on these issues as they reshape B2B payments. Masters of modernization share insights and answer questions during a mix of intimate fireside chats and vibrant virtual roundtables.