21 May 2019
Facebook continues its efforts to roll out privacy and better security across its platform though that doesn’t mean that app is free of vulnerabilities. Just recently, an independent researcher found a bug in Facebook Messenger that exposed information of whom you were communicating with. Sometime back, another bug surfaced that exposed Facebook user’s likes, interests and location history data to third party websites.
The most recent vulnerability raised allowed a hacker to let a Facebook Messenger user click on a ‘bad link’ that takes them to another web page. Upon clicking anywhere on that website, an unseen window opens up that lets the hacker know if the Facebook user was in conversation with any other user or not. The hacker basically exploits iframe properties to expose this private information of the Messenger user.
Facebook responded to the responsible disclosure made by the security researcher who found out this vulnerability sharing in a statement,
“The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook,” and also “We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behavior isn’t triggered on our service.”
It's quite important to note that Internet and web technologies are always prone to vulnerabilities and these tech companies continue to fix the loop holes. Note that no other information like chats were exposed to this vulnerability. Security researcher Masas shared his concerns regarding this vulnerability stating,
“Browser-based side-channel attacks are still an overlooked subject, while big players like Facebook and Google are catching up, most of the industry is still unaware.”