Facebook has managed to fix a serious vulnerability in Messenger Messenger on the Web but also on mobile versions. Vulnerability allowed attackers to see, edit, or delete any conversation.
Investigator Roman Zaikin of Check Point was the one who discovered the vulnerability since the beginning of the month, and Facebook immediately released updates to address the problem.
According to Zaikin, the vulnerability was based on how Facebook Messenger works. Every conversation from the app Missionof messages between two users, is transmitted through the Facebook servers. Each message has a random message_id that is unique for each message.
Zaikin realized that using the facebook.com/ajax/mercury/thread_info.php URL, he could find out the ID of each message.
The only requirement was that the attacker has some way to log in and store the message request. This can be done through proxy servers, or by infected ones Appliances of the user with some malware that will record these message requests and then send them to the hacker's server.
Assuming the attacker has gotten hold of the message_ids, Zaikin developed an automated attack that sends messages with the same ID by rewriting the content of the original message.
Since the mobile version of Messenger allows users to delete messages, automated attack can also be used to delete existing messages.
Attack is extremely risky because it allows spammers to continually update their messages with updated malicious URLs, in case their original servers are shut down.
Furthermore, since chat logs are admissible as evidence data in court, an attacker could also modify existing conversations to shift blame to another person, or erase all traces of wrongdoing altogether.
Below is a video from Raikin that shows the vulnerability of Facebook Messenger:
