Facebook Messenger bug exposed who users had been chatting to

Just yesterday, Mark Zuckerberg delivered his vision for the new privacy-focused future of Facebook. In case you missed it, the proposal centres around private, intimate interactions within encrypted conversations.

Less than 24 hours after the founder and CEO’s solemn vow, it has emerged that a bug within Facebook Messenger could have enabled hackers to see exactly who users had been conversing with.

The now-resolved flaw was discovered by researchers, who have now published insight into the bug, which singled-out which Facebook contacts a user had spoken to using Messenger. While that information didn’t include the content of messages, it could be damaging for some users for this data to be revealed.

In a blog post, Imperva Research’s Ron Masas, outlined how a browser-based side channel attack mapped communications between Facebook accounts.

Related: How to delete a Facebook account permanently

He explained how hackers could target a user’s web browser and use iFrame elements to place the person’s Facebook contacts into two lists, one containing people they had communicated with and another of those they hadn’t.

In the blog post, (via Engadget) he wrote:

“I started poking around the Messenger web application and noticed that iframe elements were dominating the user-interface. The chat box, as well as the contact list, were rendered in iframes, opening the possibility for a CSFL attack.

“I started digging into those three iframes, in order to understand how, why and when they are loaded. I decided to record the iframe count data over time for as many endpoints I could find, with the goal of uncovering interesting and detectable states.

“After a few tests, I started looking into the conversation endpoint, I recorded “full state” data, meaning pages that would load my conversation with a user I’ve been in touch with, and some “empty state” data, showing conversations with users I’ve never contacted.”

Masas reported the threat to Facebook under its responsible disclosure program. He said Facebook quickly fixed the issue by breaking his proof of concept. After he modified the algorithm to get around the get around, Facebook eventually removed all iFrame elements from the Messenger UI.

It seems the company still has a little way to go to realise that secure future for its users, huh?

Do your trust Zuckerberg’s vow to clean up Facebook’s act? Let us know @TrustedReviews on Twitter.