A previously reported Facebook vulnerability was similarly found in the company's Messenger product, according to the Imperva security research group. Nearly a year ago, Imperva researchers discovered that, through Messenger, a hacker could use "any website to expose who you've been sending messages with." The error was revealed to Facebook in May and subsequently corrected.
Hackers could point to a Facebook user's web browser and exploit iframe elements to see which friends the user has spoken to and which friends are not in the user's contact list. Imperva confirmed that the hackers could not obtain any other data of the attack.
Like the vulnerability on Facebook reported last November, Messenger users would have been vulnerable if they visited a malicious site with Chrome and then clicked on the site while they were still connected on Facebook. That would give hackers access to run any query on a new Facebook tab and extract personal data.
After Imperva revealed the problem to Facebook, the company attempted to issue a solution randomly using iframe elements, an HTML element vital to the vulnerability. But later, Imperva pointed out that a hacker could still design an algorithm that would continue to expose private messages. Facebook then eliminated the Messenger iframes completely.
"Browser-based side channel attacks are still a subject that is overlooked," writes Ron Masas, an Imperva researcher and resident in Israel, in the report. "While great players such as Facebook and Google are catching up, most of the industry still does not know it." Masas said that although the technique was not yet common, it could "increase in popularity throughout 2019", since it usually did not leave a
In recent years, Facebook has been criticized for unrestrained privacy violations and for the mishandling of user data. From the Cambridge Analytica scandal reported last March to a data breach Facebook revealed in October, millions of users have leaked their data. The news of today's vulnerability also comes a day after Facebook CEO Mark Zuckerberg announced plans to merge Messenger, WhatsApp and Instagram into a service that would combine its products through a single backend, positioning the movement as a pivot for a "communication centered on privacy platform."