The threat was disclosed by Check Point Software Technologies today. It has already reported the issue privately to Facebook. The company “promptly” fixed it after being contacted and users are now protected against the flaw.
Check Point discovered that malicious users could easily change conversation threads in Facebook Messenger. The issue affects the standalone Messenger app for mobile devices, the Messenger web app and online chat on Facebook’s website.
The firm warned the vulnerability could have had a “severe” impact on users. Fraudsters could manipulate message histories to claim an agreement had been reached with victims, hackers could tamper with conversations and incur legal repercussions and the issue could be used to distribute malware.
An attacker could change a legitimate link or file in a chat into one pointing to malicious apps and ransomware. The link could even be updated again in the future with the same technique, keeping the campaign up to date.
“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing,” said Oled Vanunu, Head of Products Vulnerability Research at Check Point. “What’s worse, the hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations.”
The vulnerability, discovered by Check Point security researcher Roman Zaikin, allowed hackers to manipulate Messenger chats and change the contents of messages after they had been sent. Messages could be sent, deleted and replaced, including the contents of links and files.
Every message sent using Facebook carries a unique ID with it. An attacker could reveal message IDs by sending a request to Facebook’s APIs. The response could be analysed using developer tools built into web browsers to establish the ID.
With the message ID secured, the contents of the message could be changed with additional requests to Facebook’s API. The ID is passed along to the server to identify the message to be changed. The content is updated without sending a push notification to the recipient’s devices.
Check Point outlined how an attacker could use the flaw to distribute ransomware. The hacker would first send a legitimate message to the target and then alter it to include an infected link or file. The attacker could continue to change the link on a regular basis to keep it up to date, preventing security companies from closing down the campaign by shutting down its servers.
Facebook Messenger’s extensive audience could have allowed hackers to target millions of people in this way. The company responded proactively to Check Point’s notice though, taking immediate action to release a fix. “We applaud Facebook for such a rapid response and putting security first for their users,” said Vanunu.
