Home » News » Facebook security flaw allowed hackers to alter Messenger conversations

Facebook security flaw allowed hackers to alter Messenger conversations


Wednesday June 08, 2016 – A security flaw in Facebook’s Messenger, discovered by online security company Check Point Software Technologies, allowed a malicious user to alter the messages in a Facebook chat after they were sent.

In one scenario, this could allow someone to send you an innocuous link in a Facebook chat, and later change it to a link that leads to a malware installation package, tricking you into infecting your system.

The exploit, explained in detail over at the Check Point blog, consists of finding a message’s unique “message_id” identifier, then altering the message content and sending it back to Facebook which accepts the new content as genuine, without alerting the recipient of the change.

“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing (…) The hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations,” Oded Vanunu, Head of Products Vulnerability Research at Check Point, said in a statement.

According to Check Point, the vulnerability was discovered earlier this month; Facebook was notified about the vulnerability and promptly moved to fix it.

Still, knowing that such a vulnerability existed is a scary thought. Not only does it open the possibility of getting your system infected with malware, it also has potential legal repercussions, as the content of Facebook’s chats is potentially admissible in court.

In a blog post Tuesday, Facebook explained that the bug only affected the Messenger app on Android. Furthermore, the company claims the flaw could not be used to infect a user’s system with malware, due to the company’s anti-spam and anti-virus filters.

“Because even new content was subject to our anti-malware and anti-spam filters, this bug did not introduce the ability to send malicious content that would have been blocked in the original message,” the post said.

Page 1 of 1