Facebook bug allowed attackers to change Messenger content

And I thought you were my friend…

Facebook Messenger

Facebook recently patched a vulnerability that allowed attackers to change the content of their messages sent via the Android Messenger app.

On Tuesday, Check Point security researcher Roman Zaikin published a blog post in which he outlines the details of the bug:

"The vulnerability allows a malicious user to change conversation thread in the Facebook Online Chat & Messenger App. By abusing this vulnerability, it is possible to modify or remove any sent message, photo, file, link, and much more."

Not just anyone could exploit the vulnerability. Only people who were already part of a conversation and who had used proxy servers or malware to discover a message's ID number could mess around with their Messenger content.

The Messenger website also logs each of its conversations with original messages, meaning a user could access the original text of the conversation in another version of Messenger.

Fb2 1024x356

These limitations notwithstanding, Zaikin argues an attacker could leverage the vulnerability to manipulate message history to commit fraud, to hide potentially illegal content, or to incriminate others.

They could even deliver malware to unsuspecting victims, as the researcher notes:

"An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest C&C address, and keep the phishing scheme up to date."

A demonstration of this exploit can be viewed below:

Check Point reported the flaw to Facebook's security teams, who patched the vulnerability in early May.

The social networking site has since published a blog post about the bug in which it challenges several of Zaikin's findings, including the idea that an attacker could have exploited the vulnerability to manipulate any message's content or to distribute malware:

"Content could have only been adjusted by the person who sent the message. The bug did not provide the ability to change someone else's messages.... [And] [b]ecause even new content was subject to our anti-malware and anti-spam filters, this bug did not introduce the ability to send malicious content that would have been blocked in the original message."

Trust goes a long way towards protecting yourself against digital attacks on social media. With that in mind, it's a good idea to not add any connections or friends whom you don't already know or trust.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.

(Visited 1,349 times, 1 visits today)

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

No comments yet.

Leave a Reply