Facebook Messenger: bug puts users’ chats at risk

Found a vulnerability in Facebook's messaging system that endangered the privacy of about a billion people. Issue promptly fixed

Ysrael Gurt, a security expert at BugSec and Cynet, discovered a critical vulnerability in Facebook Messenger that allowed an attacker to read users' private conversations, including photos and attachments sent.

This bug, dubbed "Originull", exploits the fact that Facebook chats are not managed directly on the social network's servers but on a separate system - called [number]-edge-chat.facebook.com - for both web and mobile versions: the risk was, in short, total. In order to exploit this vulnerability, it was enough to deceive the victim on duty - through a link received via email or an invitation on a phishing site - which diverted them to a malicious site to infect them with a malware developed ad hoc. The flaw, fortunately, was promptly fixed by Facebook.

Facebook recognized and fixed the bug

At this point, a so-called cross-origin bypass-attack was executed against Facebook's messaging application and the cyber crook was able to view and access messages, photos and attachments sent via Messenger by victims infected with the malware. For those interested in a few more technical details, Ysrael Gurt himself explains. The communication between the JavaScript and the server is done via an HTTP XML (XHR) request. Facebook, in order to access the data coming from the chat server in JavaScript, must add the so-called Access-Control-Allow-Credentials header with the caller's origin header and the value "true" so that the information is accessible even when cookies have already been sent. Ysrael Gurt discovered this serious Facebook vulnerability through a program of his own creation, and Facebook's security team - quickly recognizing the seriousness of this vulnerability - promptly fixed it.

The video in the opening is from YouTube

Some of the videos in this section were taken from the internet, thus rated in the public domain. If the subjects present in these videos or the authors had something against the publication, just make a request for removal by sending an email to: [email protected]. We will delete the video as soon as possible.

.