Facebook is making a big shift to private messages, but it’s not immune to security vulnerabilities.
Imperva, a cybersecurity company, detailed on Thursday a flaw with Facebook Messenger that allowed potential attackers to learn who you were talking with on the chatting service.
The security bug didn’t show the content of the messages, but just knowing who you were in touch with has the potential to harm your privacy, said Ron Masas, the security researcher who discovered the vulnerability.
“It could be sent to high-profile targets to figure out who they’ve had a conversation with,” Masas said. “If you sent a message to a bot to order pizzas, I would know.”
Facebook fixed the bug in December. The company didn’t respond to a request for comment.
Masas had also detailed a similar Facebook bug in November, where data thieves could see private posts you’ve liked and what your friends have liked.
The bug worked by analyzing iFrames, code used to embed content like YouTube videos on pages. In your browser, Messenger loaded a specific number of iFrames for people you’ve had a conversation with and people you’ve never talked to, Masas said.
The security researcher developed a tool that’d report the number of iFrames loaded, and with that data, he could figure out who someone has been in touch with.
For the attack to work, the victim would have to click on a link leading to Masas’ tool. In his proof-of-concept, he set the trap link as a video, so that unsuspecting victims would be distracted while that data was siphoned off.
So in one tab, you’d have the spying tool gathering data on iFrames of the recipient’s Facebook page on another tab.
“The original tab can ask the browser how many iFrames another tab has,” Masas said. “It looks for this pattern that indicates whether or not you’ve had a conversation with a person.”
That pattern was a specific drop in iFrames if you’ve never spoken with somebody on Messenger.
When Masas first reported the flaw to Facebook on Nov. 29, the social network tried fixing it by randomizing the number of iFrames, he said. But even though the specific number of iFrames was removed, that drop in the pattern still existed, Masas said.
Facebook eventually fixed the flaw by removing iFrames from Messenger altogether.
The security vulnerability with Facebook Messenger comes a day after Mark Zuckerberg announced his plans for the future of the social network. The CEO said Facebook is moving toward a privacy-focused platform, with an emphasis on encrypted messaging.
But with the bug that Masas discovered, encryption wouldn’t have stopped the flaw, the researcher said.
That’s because it looked for iFrames, which your browser provided — not Facebook.
“This data was leaked over the client side. In terms of encryption, it’s not really going to affect this,” he said.