Jump to content

Recommended Posts

  • FPCH Admin
Posted

facebook-messenger-600.jpg

 

 

Facebook recently patched a vulnerability that allowed attackers to change the content of their messages sent via the Android Messenger app.

 

On Tuesday, Check Point security researcher Roman Zaikin published a blog post in which he outlines the details of the bug:

 

"The vulnerability allows a malicious user to change conversation thread in the Facebook Online Chat & Messenger App. By abusing this vulnerability, it is possible to modify or remove any sent message, photo, file, link, and much more."

 

Not just anyone could exploit the vulnerability. Only people who were already part of a conversation and who had used proxy servers or malware to discover a message's ID number could mess around with their Messenger content.

 

The Messenger website also logs each of its conversations with original messages, meaning a user could access the original text of the conversation in another version of Messenger.

 

 

33ecef169dcf86f2c45351319af758d8.png

 

 

These limitations notwithstanding, Zaikin argues an attacker could leverage the vulnerability to manipulate message history to commit fraud, to hide potentially illegal content, or to incriminate others.

 

They could even deliver malware to unsuspecting victims, as the researcher notes:

 

"An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest C&C address, and keep the phishing scheme up to date."

 

A demonstration of this exploit can be viewed below:

 

 

Check Point reported the flaw to Facebook's security teams, who patched the vulnerability in early May.

 

 

The social networking site has since published a blog post about the bug in which it challenges several of Zaikin's findings, including the idea that an attacker could have exploited the vulnerability to manipulate any message's content or to distribute malware:

 

"Content could have only been adjusted by the person who sent the message. The bug did not provide the ability to change someone else's messages.... [And] because even new content was subject to our anti-malware and anti-spam filters, this bug did not introduce the ability to send malicious content that would have been blocked in the original message."

 

Trust goes a long way towards protecting yourself against digital attacks on social media. With that in mind, it's a good idea to not add any connections or friends whom you don't already know or trust.

 

Source: grahamcluley

~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~

~~Robert McCloskey~~

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...