Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Facebook Messenger bug exposed who users had been chatting to

Just yesterday, Mark Zuckerberg delivered his vision for the new privacy-focused future of Facebook. In case you missed it, the proposal centres around private, intimate interactions within encrypted conversations.

Less than 24 hours after the founder and CEO’s solemn vow, it has emerged that a bug within Facebook Messenger could have enabled hackers to see exactly who users had been conversing with.

The now-resolved flaw was discovered by researchers, who have now published insight into the bug, which singled-out which Facebook contacts a user had spoken to using Messenger. While that information didn’t include the content of messages, it could be damaging for some users for this data to be revealed.

In a blog post, Imperva Research’s Ron Masas, outlined how a browser-based side channel attack mapped communications between Facebook accounts.

Related: How to delete a Facebook account permanently

He explained how hackers could target a user’s web browser and use iFrame elements to place the person’s Facebook contacts into two lists, one containing people they had communicated with and another of those they hadn’t.

In the blog post, (via Engadget) he wrote:

“I started poking around the Messenger web application and noticed that iframe elements were dominating the user-interface. The chat box, as well as the contact list, were rendered in iframes, opening the possibility for a CSFL attack.

“I started digging into those three iframes, in order to understand how, why and when they are loaded. I decided to record the iframe count data over time for as many endpoints I could find, with the goal of uncovering interesting and detectable states.

“After a few tests, I started looking into the conversation endpoint, I recorded “full state” data, meaning pages that would load my conversation with a user I’ve been in touch with, and some “empty state” data, showing conversations with users I’ve never contacted.”

Masas reported the threat to Facebook under its responsible disclosure program. He said Facebook quickly fixed the issue by breaking his proof of concept. After he modified the algorithm to get around the get around, Facebook eventually removed all iFrame elements from the Messenger UI.

It seems the company still has a little way to go to realise that secure future for its users, huh?

Do your trust Zuckerberg’s vow to clean up Facebook’s act? Let us know @TrustedReviews on Twitter.

Why trust our journalism?

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.

Trusted Reviews Logo

Sign up to our newsletter

Get the best of Trusted Reviews delivered right to your inbox.

This is a test error message with some extra words