This article is more than 1 year old
Oh snap! Facebook zaps crap yap gap in web chat, natter app flap
Bug would have allowed miscreants to rewrite messages
A vulnerability in Facebook's web chatrooms and its Messenger app would have let miscreants surreptitiously tamper with messages after they had been sent.
The flaw was discovered by eggheads at security biz Check Point, who reported it to the social network giant. We're told attackers would have needed only a basic knowledge of HTML to take advantage of the bug to modify or delete any message, photo, file or link. The attacker would have to be part of a conversation before he or she could manipulate it.
The hole could have been exploited to rewrite conversations and put people in legally or personally tricky positions; run phishing scams; or distribute malware, among other possibilities.
Experts from the Israeli security firm discovered that, to tamper with a discussion, a hacker simply needed to identify the unique ID for the sent messages that he or she wanted edit. This was easily achieved by sending requests to www.facebook.com/ajax/mercury/thread_info.php.
Once a message ID was pulled up, a miscreant would be able to alter the contents of the message and submit it to the Facebook servers without others in the chat being alerted. This process would require only very basic HTML knowledge and a browser debug tool – most browsers include one.
Altering the contents of sent messages holds hugely attractive possibilities for hackers. They can insert links to malware, including ransomware, into a previously benign Facebook message chain, or they can manipulate message contents and history for fraudulent purposes – for example to falsify details of an agreement or transaction.
Facebook's Messenger app alone passed 800 million monthly users earlier this year, making it a potentially rich hunting ground for cybercriminals.
The vulnerability was fully disclosed to the Facebook Security team by Check Point on May 2. Facebook responded quickly, and after a joint effort the vulnerability was patched by May 16. Facebook users do not need to make any changes to their accounts.
"By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing," said Oded Vanunu, head of products vulnerability research at Check Point.
"What's worse, the hacker could implement automation techniques to outsmart security measures, allowing them to launch long-term, insidious attacks. We applaud Facebook for such a rapid response, and for working with us to put security first for their users."
The resolution of the problem came days before Facebook announced it was closing its native message facility, forcing users to install the Messenger client, which comes with end-to-end encryption by default. ®