Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Incident Response, TDR, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Facebook Messenger flaw fixed promptly

After Check Point notified Facebook of a flaw in its Facebook Online Chat & Messenger App earlier this month, the social media giant responded and quickly fixed the vulnerability, according to a blog post from Check Point.

The bug could have given access to attackers to alter conversation threads, including modifying sent messages, photos, files and links.

Miscreants could have embedded information in Facebook chats, which because the chats could be presented as evidence in legal matters, could have opened the door to false charges.

The bug also could have allowed the distribution of malware by letting attackers change links and even update them later on to keep current with C&C servers.

“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing,” Oded Vanunu, head of products vulnerability research at Check Point, said in the post, applauding Facebook for its quick response.

However, a Facebook spokesperson contacted SCMagazine.com to refute some inaccuracies in the Check Point blog post.

Specifically:
  • The bug only allowed you to change your own messages and it was temporary until the app refetched data with the server. 
  • All original messages would still be documented and accessible on the other platforms, so there was always a source of truth that reflected messages correctly.
  • You wouldn't be able to inject any content, including links and malware, that would have been blocked in the original messages. All messages are still sent through our anti-malware and anti-spam filters. 

"All of these points make systematic abuse very difficult," the Facebook spokesperson wrote. 

More details from the Facebook security team are available here.


This article is updated to include comments from Facebook.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.