Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Facebook Patches Vulnerability in Messenger App

Researchers discovered that Facebook Messenger is plagued by a vulnerability that allows hackers to replace the content of the messages they send through the application. The social media giant addressed the issue, but rated it “low risk.”

Researchers discovered that Facebook Messenger is plagued by a vulnerability that allows hackers to replace the content of the messages they send through the application. The social media giant addressed the issue, but rated it “low risk.”

Several experts reported the flaw to Facebook via its bug bounty program, including from the security firm Check Point, which on Monday published a blog post detailing the vulnerability.

The problem is related to the random ID assigned to each message. An attacker could obtain this ID via a request to facebook.com/ajax/mercury/thread_info.php, and then send another message with the same ID to the targeted user. This results in the messages sent subsequently with the same ID replacing the previous message.

Check Point said the vulnerability can have a severe impact as it could be used in fraud campaigns to change the content of a conversation, or to replace legitimate links and files with malicious ones. The security firm noted that the flaw affected both the web and mobile versions of the messaging application.

In its own blog post, Facebook said it conducted a thorough investigation of the problem and determined that it only affected Messenger for Android. It’s worth noting that Check Point’s proof-of-concept also targets the Android app.

According to Facebook, on most clients, including the one for iOS, the first message is displayed whenever messages with a duplicate ID are detected. A configuration flaw in Messenger for Android resulted in the last message being displayed instead.

Facebook pointed out that the “message duplication” bug can be exploited by an attacker only to change their own messages, and not someone else’s messages. While malicious hackers can exploit the vulnerability to replace harmless links and files with phishing websites and malware, Facebook says an attack would likely be blocked by its anti-malware and anti-spam filters, which also analyze the messages that replace the original one.

“This bug affected the Android Messenger interface, but the message content was still correctly reflected on other platforms. We also confirmed that the content self-corrected on Android when the application refetched message data from the server, so it wasn’t permanently changed,” Facebook said.

The company rolled out a fix, but classified the issue as a “simple misconfiguration” with a “low risk.”

Facebook reported in February that it had paid out more than $4.3 million to researchers since the launch of its bug bounty program in 2011. The list of flaws that earned hackers rewards from the social networking giant this year were related to account hijacking ($7,500), the password reset system ($15,000), third-party software ($10,000), and the login system ($5,000).

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.