Facebook bug allowed attackers to change Messenger content

allheart55 (Cindy E)

allheart55 (Cindy E)

Administrator
Joined
Jul 12, 2014
Messages
7,354
Location
Levittown, Pennsylvania
facebook-messenger-600.jpg


Facebook recently patched a vulnerability that allowed attackers to change the content of their messages sent via the Android Messenger app.

On Tuesday, Check Point security researcher Roman Zaikin published a blog post in which he outlines the details of the bug:

"The vulnerability allows a malicious user to change conversation thread in the Facebook Online Chat & Messenger App. By abusing this vulnerability, it is possible to modify or remove any sent message, photo, file, link, and much more."

Not just anyone could exploit the vulnerability. Only people who were already part of a conversation and who had used proxy servers or malware to discover a message's ID number could mess around with their Messenger content.

The Messenger website also logs each of its conversations with original messages, meaning a user could access the original text of the conversation in another version of Messenger.


33ecef169dcf86f2c45351319af758d8.png



These limitations notwithstanding, Zaikin argues an attacker could leverage the vulnerability to manipulate message history to commit fraud, to hide potentially illegal content, or to incriminate others.

They could even deliver malware to unsuspecting victims, as the researcher notes:

"An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest C&C address, and keep the phishing scheme up to date."

A demonstration of this exploit can be viewed below:


Check Point reported the flaw to Facebook's security teams, who patched the vulnerability in early May.


The social networking site has since published a blog post about the bug in which it challenges several of Zaikin's findings, including the idea that an attacker could have exploited the vulnerability to manipulate any message's content or to distribute malware:

"Content could have only been adjusted by the person who sent the message. The bug did not provide the ability to change someone else's messages.... [And] because even new content was subject to our anti-malware and anti-spam filters, this bug did not introduce the ability to send malicious content that would have been blocked in the original message."

Trust goes a long way towards protecting yourself against digital attacks on social media. With that in mind, it's a good idea to not add any connections or friends whom you don't already know or trust.

Source: grahamcluley
 

Similar threads

AWS
A closer look at Qakbot’s latest building blocks (and how to knock them down)
Replies
1
Views
291
Tony D
Tony D
AWS
Widespread credential phishing campaign abuses open redirector links
Replies
1
Views
324
Tony D
Tony D
allheart55 (Cindy E)
Facebook denies sharing private messages without user knowledge
Replies
0
Views
606
allheart55 (Cindy E)
allheart55 (Cindy E)
starbuck
Comcast Patches Router Bug That Leaked Some Wi-Fi Passwords
Replies
3
Views
717
allheart55 (Cindy E)
allheart55 (Cindy E)
starbuck
This password-stealing malware uses Facebook Messenger to spread further
Replies
2
Views
720
starbuck
starbuck
Back
Top