A previously reported Facebook vulnerability was similarly found in the company’s Messenger product, according to security research group Imperva. Nearly a year ago, Imperva researchers discovered that, through Messenger, a hacker could use “any website to expose who you have been messaging with.” The bug was disclosed to Facebook in November and subsequently patched.
Hackers could target a Facebook user’s web browser and exploit iframe elements to see which friends the user had talked to and which were not in the user’s contact list. Imperva confirmed the hackers couldn’t gain any other data from the attack.
Like the vulnerability in Facebook reported last November, Messenger users would have been vulnerable if they visited a malicious site with Chrome and then clicked on the site while they were still logged in on Facebook. That would give the hackers access to run any queries on a new Facebook tab and extract personal data.
After Imperva disclosed the issue to Facebook, the company tried to issue a fix by randomizing iframe elements, an HTML element vital to the vulnerability. But later, Imperva pointed out that a hacker could still design an algorithm that would continue to expose a user’s contacts. Facebook then removed iframes from Messenger entirely. Facebook told The Verge in a statement: “We appreciate the researcher’s submission to our bug bounty program. The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook.”
See Full Story at www.theverge.com