News Categories

Facebook Messenger flaw allows hacker to change chat histories

By Ciara Alarcon & Koh Wanzi - on 9 Jun 2016, 2:46pm

Facebook Messenger flaw allows hacker to change chat histories

Facebook Messenger exploit

A research team from security firm Check Point has reportedly discovered a vulnerability in Facebook Messenger that could allow attackers to spread malware through the chat service and even modify the contents of users’ chat histories.

Facebook Messenger currently has nearly a billion active users, but in a blog post Tuesday, Facebook says the bug only affects the Messenger app on Android (which, incidentally, has racked up one billion downloads). This means that if your chats have been compromised, you can still access the original version of the text in another version of Messenger.

In order to exploit the flaw, an attack would need to obtain the unique “message_id” of individual chat messages, which can be done easily enough with a browser debugging tool and basic HTML knowledge. They could then alter the message content and send it back to Facebook’s servers. The modified content is accepted as authentic, and the recipient would be none the wiser.

On its own, this could amount to nothing more than an act of harmless mischief, but the real danger lies in the possibility that malicious actors will tamper with sensitive chat content. For instance, attackers could go so far as to falsify the details of agreements or transactions conducted over Messenger. They could even add in links to malware and trick recipients into clicking them, although Facebook says its built-in anti-spam and anti-virus filters would protect users.

However, only parties involved in the conversation can take advantage of the exploit, so you probably weren't at much risk if you chat only with people you know and trust.

The good news is that the vulnerability has since been patched, so users need not worry about this particular exploit anymore. Still, it’s impossible to guarantee that similar attacks will not happen in the future, and the case highlights the importance of end-to-end encryption, which would take the data off Facebook’s servers and ensure that there was no way to tamper with data and send it back to the server.

WhatsApp recently implemented end-to-end encryption, as did Google with its new Allo messenger app. Rumor also has it that Facebook will follow suit in the coming months, in the form of an optional encrypted communications mode.

Source: Check Point