InfoSec 2016: Facebook Messenger “Left Open To Hackers”

facebook messenger group chat

Check Point research finds both Messenger and Facebook Chat can be exploited with simple HTML tweak that would allow hackers to hijack messages

Facebook users came close to being exposed to a dangerous vulnerability in the site’s code that could have opened up its chat apps to criminals, security researchers have claimed.

Both Facebook Messenger and the site’s browser Facebook Chat service were affected by a flaw which could have allowed hackers to essentially take control of any message sent with only a basic level of knowledge of HTML coding.

In doing so, hackers could have been able to modify a message’s content, distribute malware and even insert automation techniques to outsmart security defences, according to security firm Check Point.

At risk

Facebook Messenger LogoThe company claims that all hackers would have needed to do to exploit the flaw would be to identify the unique ID for the sent message they want to target, which requires only very basic HTML knowledge and a browser debug tool, free on any browser.

And once this message ID is isolated and identified, an attacker would be able to hijack it, allowing for the potential altering of the content before sending it on to the Facebook servers without the original user being any the wiser.

Facebook recently revealed that 900 million people are now using Messenger worldwide, along with 50 million businesses.

Check Point says that it informed the Facebook Security team about the vulnerability earlier this month, with the site immediately responding to work with the company and patch the flaw two weeks later.

Facebook has confirmed that users are no longer at risk from this vulnerability, and do not need to make any changes to their accounts.

“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realising,” said Oded Vanunu, head of products vulnerability research at Check Point.

“What’s worse, the hacker could implement automation techniques to outsmart security measures, allowing them to launch long-term, insidious attacks. We applaud Facebook for such a rapid response, and for working with us to put security first for their users.”

Are you a Facebook expert? Take our quiz!