Bug In Facebook Messenger To Allowed Websites To Access User Data

Facebook and Mark Zuckerberg
Facebook and Mark Zuckerberg

Now the bug found in Facebook messenger to allowed websites to gain access of users data, including your chat records.

Ron Masas, a cyber security researcher from Imperva found the bug in November 2018. Masas team have been found a bug in Facebook messenger that allowed websites to extract data from users profile through cross site frame leakage (CSFL).

Cross-Site Frame Leakage is a side-channel attack, performed on an end user’s web browser, that exploits the cross-origin properties of iframe elements to determine the state of a vulnerable application.

How this Bug works?

Masas said, a hacker could potentially exploit iframe to see who that user had been chatting with on Messenger.

By clicking on malicious link in the messenger anywhere on the page, a new window would open—potentially out of view of the user—and allow the hacker to probe whether the user had been or had not been in conversation with other Facebook users on Messenger.

Bug have been Fixed

Facebook then removed iframes from Messenger entirely. Facebook told The Verge in a statement: “We appreciate the researcher’s submission to our bug bounty program. The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook.”

“Browser-based side channel attacks are still an overlooked subject,” Israel-based Imperva researcher Ron Masas writes in the report. “While big players like Facebook and Google are catching up, most of the industry is still unaware.” Masas noted that while the technique wasn’t common yet, it could “increase in popularity throughout 2019” as it typically didn’t leave a trace.

Also Read

On Thursday Mark Zuckerberg wrote, on its FB post about Facebook-privacy vision.

“People want to be able to choose which service they use to communicate with people. However, today if you want to message people on Facebook you have to use Messenger, on Instagram you have to use Direct, and on WhatsApp you have to use WhatsApp,” Zuckerberg wrote in the post. “We want to give people a choice so they can reach their friends across these networks from whichever app they prefer.”

“On balance, I believe working towards implementing end-to-end encryption for all private communications is the right thing to do. Messages and calls are some of the most sensitive private conversations people have, and in a world of increasing cyber security threats and heavy-handed government intervention in many countries, people want us to take the extra step to secure their most private data.”

Clearly, Mark Zuckerberg wants to merge all its service including Messenger, Instagram and WhatsApp. But what about our Data security?

Previously leaked Facebook timeline as follow-

  • Facebook shared your data to Tech Firm.

  • Facebook caught over it data privacy policies.

  • According to NYT report there are more than 150 Tech firms can access your Email Address and private messages.

  • “View As” feature Bug allowed to steal secret access token for more than 50 million accounts. Facebook temporarily turning off the feature for security purpose.

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Priyanshu Sahay

Multiple Vulnerabilities Found in Orange Modems And Leak WiFi Credentials

The security researchers of Bad Packets have found vulnerability that nearly 19,500...
Read More

Leave a Reply