We’ve lost count of just how many privacy issues Facebook had so far. It appears that there is a new scandal every month.
Recently it was revealed that Messenger had a vulnerability which could have been used to expose who you were chatting it.
The vulnerability was exposed by researcher Ron Masas in a blog post. He explained that an attacker could send a bad link on messenger. Once the user clicked something on a page, a new window would open, allowing the attacker to see whether the user has been chatting with others. Masas already reported the issue to Facebook, but it appears that the initial fix delivered by the company wasn’t enough to solve the problem.
Having reported the vulnerability to Facebook under their responsible disclosure program, Facebook mitigated the issue by randomly creating iframe elements, which initially broke my proof of concept. However, after some work, I managed to adapt my algorithm and distinguish between the two states. I shared my finding with Facebook, who decided to completely remove all iframes from the Messenger user interface.
Facebook’s response
Facebook claims that this issue exists on many other platforms as well. We received an official response from a Facebook spokesperson:
“The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook. We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behavior isn’t triggered on our service.”
The code was updated and iframes were removed from the app, and hopefully this manages to solve the problem.
Nora Reynolds is a major in biology and a minor in Biological Basis of Behavior, writing about science in general. She also likes to try new gadgets and sports about the AI new era.