Facebook managed to fix a serious vulnerability in the chat application Messenger on the Web but also in mobile versions. The vulnerability allowed attackers to view, edit, or delete any conversation.
Investigator Roman Zaikin of Check Point was the one who discovered the vulnerability since the beginning of the month, and Facebook immediately released updates to address the problem.
According to Zaikin, vulnerability was based on manner modeof Facebook Messenger. Every conversation from the messaging application between two users is transmitted through Facebook's servers. Each message has a random message_id that is unique for each message.
Zaikin realized that using the facebook.com/ajax/mercury/thread_info.php URL, he could find out the ID of each message.
The only requirement was that the attacker has some way to log in and store the message request. This can be done through proxy servers, or by infecting the user's devices with some malware which will record these message requests and then send them to the hacker's server.
Assuming that the attacker has got message_ids in his hands, Zaikin has developed an automated attack that sends messages with the same ID by rewriting the contents of the original message.
Since the mobile version of Messenger allows users to delete messages, automated attack can also be used to delete existing messages.
Attack is extremely risky because it allows spammers to continually update their messages with updated malicious URLs, in case their original servers are shut down.
In addition, since the logs of the conversations are accepted as evidence in court, an attacker could also modify existing discussions about shifting responsibilities to another person, or completely erase any trace of an act.
Below is a video from Raikin that shows the vulnerability of Facebook Messenger:
