Facebook Messenger issues are nothing new. Sometimes, in fact, we just hold our breath for the next big Facebook Messenger bug. While that last statement is an exaggeration, here’s one that isn’t. A new bug within the communication platform could have allowed hackers to see who exactly a user has been conversing with.
The irony is that the vulnerability was revealed less than 24 hours after Facebook founder and CEO Mark Zuckerberg shared his vision for the privacy-oriented future of Facebook. The proposal, after all, focused on private interactions within encrypted conversations.
Let’s dig deeper into this bug in Facebook Messenger that exposes who users were chatting with.
Facebook Messenger Bug in Focus
Cybersecurity firm Imperva disclosed on Thursday the security flaw that let potential attackers learn who you were talking with on Facebook’s own chatting service. The flaw was then shortly resolved.
Sure, the bug didn’t actually show the content of your messages. But it had the capability to know who you were in touch with, possibly harming your privacy.
What hackers could do was target your web browser. From there, they could exploit iframe elements in order to see which friends you talked with and which were not in your contact list. However, they couldn’t have obtained any other data from the breach, Imperva confirmed.
So if you visited a malicious website via Chrome and clicked on the site while remaining logged in on Facebook, then you would have been vulnerable. That would give the bad elements a free pass to run queries on a new Facebook tab and then extract private data.
Facebook was quick to act (as it should), trying to issue a fix through randomizing iframe elements. Imperva shortly pointed out, though, that hackers could still continue exposing the user’s contacts by designing an algorithm to get it done. The social network then altogether removed iframes from Messenger.
In a statement, Facebook clarified that the identified issue was rooted in how “web browsers handle content embedded in webpages” and wasn’t unique to Facebook. Furthermore, they said they have made recommendations to browser companies and relevant web standards groups to encourage taking further steps to prevent the issue from occurring in other web apps.
Facebook also updated Messenger’s web version in the wake of the bug to keep the “browser behavior” from setting off in its service.
Imperva researcher Ron Masas warned in the report that browser-based side channel attacks still don’t get the attention they need. “While big players like Facebook and Google are catching up, most of the industry is still unaware,” he said. It remains an uncommon technique, but this type of attack could catch on in 2019 without even leaving a trace.
Previous Facebook Problems in Privacy
Last year, Imperva also detailed a Facebook vulnerability that could have exposed users’ data. What the bug did was allow websites to get private information about users and their friends using unauthorized access to a company API. This played off a particular behavior in the Chrome browser, similar to the recently divulged problem.
This attack is technically known as a cross-site request forgery. In a basic sense, it uses a legitimate Facebook login in an unauthorized manner. When a Facebook user visits a malicious site with Chrome and clicks on it while logged in on Facebook, the attackers could open a new tab or pop-up on Facebook search. They can run any queries in order to obtain personal data.
Some sample queries include:
- If user took photos in a specific location or country
- If user wrote recent posts containing a particular text
- If user’s friends like a certain company’s Facebook page
The danger: the interests of a user and her friends can become exposed even if their privacy settings show their interests only to friends.
Over the years, Facebook had been under scrutiny for a number of privacy violations and user data mishandling:
- Cambridge Analytica Scandal – Erupting last March, it involved Cambridge Analytica’s harvesting of the personal data of some 87 million Facebook users without their consent and for political purposes. It was initially reported in December 2015 by journalist Harry Davies. That time, the firm was working for U.S. senator Ted Cruz. The one in March emerged through ex-employee Christopher Wylie, inciting discussion on ethical standards for social media companies, politicians, and political consulting firms.
- ‘View As’ Facebook Data Breach – Attackers exploited a vulnerability in the social platform’s code that existed from July 2017 to September 2018, Facebook reported. The breach resulted from a “complex interaction” of three different software bugs and affected “View As,” a feature that allows people to see what their own profile looks like to someone else. It enabled attackers to steal Facebook access tokens, useful for taking over people’s accounts. Access tokens are akin to digital keys, which keep users logged in to Facebook without having to re-enter their password every single time.
Privacy Tips for Facebook Users
You can take active steps to keep your Facebook data safe. Don’t wait for the next big privacy breach to make your move!
- Review App Access. Apps offer more of your information up for grabs. So check out your phone’s Settings area and go to Account Settings > Apps. Here you can view which apps have access to your account. Click Remove App to revoke an app’s access and somehow minimize the damage caused by previous occasions where you allowed it to stay there and access all your information. Organize your phone, too, with a reliable accessibility and phone life booster app if you are a moderate to heavy Facebook or smartphone user.
- Clean Up Your Timeline and Account. Go through your activity log and police existing or old comments. Delete friends you don’t want to associate with anymore. Take other house-cleaning precautions in order to prevent privacy issues in the first place.
- Manage Your Privacy Settings. To do this, click on the arrow next to the question mark located at the top of the page. Hit Settings. The Privacy Settings and Tools window will open, and from here you can take different steps to change your security. Choose who you share your posts with, where the default setting is Friends. Perform a Privacy Check-up on your desktop or phone every so often to make sure you’re on the right track.
- Don’t Go on a Clicking Spree. Avoid clicking on licks in the Messenger or the main platform unless you are 100 percent sure that it’s safe to open. Exercise your discretion every time.
- Consider Deactivating or Deleting Your Account. If you don’t want to bother with these privacy issues anymore, you may also simply deactivate your account or delete it. The former is a temporary action while the latter is permanent. It can take around a month for your entire “person” to be purged from Facebook.
A now-resolved bug in Facebook Messenger potentially exposed who users were chatting with. The next big Facebook Messenger bug could be right around the corner, so don’t relax just yet. Observe privacy and security tips on Facebook and be extremely cautious of what you click, post, and share online.