Connect with us

Hi, what are you looking for?



Facebook Patches Vulnerability in Messenger App

Researchers discovered that Facebook Messenger is plagued by a vulnerability that allows hackers to replace the content of the messages they send through the application. The social media giant addressed the issue, but rated it “low risk.”

Researchers discovered that Facebook Messenger is plagued by a vulnerability that allows hackers to replace the content of the messages they send through the application. The social media giant addressed the issue, but rated it “low risk.”

Several experts reported the flaw to Facebook via its bug bounty program, including from the security firm Check Point, which on Monday published a blog post detailing the vulnerability.

The problem is related to the random ID assigned to each message. An attacker could obtain this ID via a request to, and then send another message with the same ID to the targeted user. This results in the messages sent subsequently with the same ID replacing the previous message.

Check Point said the vulnerability can have a severe impact as it could be used in fraud campaigns to change the content of a conversation, or to replace legitimate links and files with malicious ones. The security firm noted that the flaw affected both the web and mobile versions of the messaging application.

In its own blog post, Facebook said it conducted a thorough investigation of the problem and determined that it only affected Messenger for Android. It’s worth noting that Check Point’s proof-of-concept also targets the Android app.

According to Facebook, on most clients, including the one for iOS, the first message is displayed whenever messages with a duplicate ID are detected. A configuration flaw in Messenger for Android resulted in the last message being displayed instead.

Advertisement. Scroll to continue reading.

Facebook pointed out that the “message duplication” bug can be exploited by an attacker only to change their own messages, and not someone else’s messages. While malicious hackers can exploit the vulnerability to replace harmless links and files with phishing websites and malware, Facebook says an attack would likely be blocked by its anti-malware and anti-spam filters, which also analyze the messages that replace the original one.

“This bug affected the Android Messenger interface, but the message content was still correctly reflected on other platforms. We also confirmed that the content self-corrected on Android when the application refetched message data from the server, so it wasn’t permanently changed,” Facebook said.

The company rolled out a fix, but classified the issue as a “simple misconfiguration” with a “low risk.”

Facebook reported in February that it had paid out more than $4.3 million to researchers since the launch of its bug bounty program in 2011. The list of flaws that earned hackers rewards from the social networking giant this year were related to account hijacking ($7,500), the password reset system ($15,000), third-party software ($10,000), and the login system ($5,000).

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.