Home Apps Facebook Messenger Bug Lets Hackers See Who You’ve Chatted With

Facebook Messenger Bug Lets Hackers See Who You’ve Chatted With


We reported earlier today that Google’s Security Chief is advising all Chrome users to download the latest update for the browser because it patches a major security issue which lets hackers directly attack users. Unfortunately, it looks like Facebook Messenger is also not safe to use.

The cybersecurity software company called Imperva has identified a bug in Messenger’s code that causes a major security breach. The problem here is that the bug lets hackers see the activity of users starting with what posts they like and ending with their private conversations.

Facebook Messenger

The last year wasn’t a good one for Facebook. The social media giant went through a couple of data leak scandals and people don’t feel safe on Facebook anymore. Sadly, it doesn’t look like Facebook has learned its lesson since the folks at Imperva are reporting that a new bug found in Messenger’s code makes it possible for hackers to get private information about users.

How Does the Bug Work?

Ron Masas is a security researcher and he revealed that hackers can user a target’s browser in order to exploit the iframe properties and see who the target has been talking to on Messenger. “I started poking around the Messenger web application and noticed that iframe elements were dominating the user-interface. The chat box, as well as the contact list, were rendered in iframes, opening the possibility for a CSFL attack,” said Ron Masas in a recent blog post.

The Bug Has Been Reported

“Having reported the vulnerability to Facebook under their responsible disclosure program, Facebook mitigated the issue by randomly creating iframe elements, which initially broke my proof of concept. However, after some work, I managed to adapt my algorithm and distinguish between the two states. I shared my finding with Facebook, who decided to completely remove all iframes from the Messenger user interface,” added Ron Masas.