Researchers discovered that Facebook Messenger is plagued by a vulnerability that allows hackers to replace the content of the messages they send through the application. The social media giant addressed the issue, but rated it “low risk.”
Several experts reported the flaw to Facebook via its bug bounty program, including from the security firm Check Point, which on Monday published a blog post detailing the vulnerability.
The problem is related to the random ID assigned to each message. An attacker could obtain this ID via a request to facebook.com/ajax/mercury/thread_info.php, and then send another message with the same ID to the targeted user. This results in the messages sent subsequently with the same ID replacing the previous message.
Check Point said the vulnerability can have a severe impact as it could be used in fraud campaigns to change the content of a conversation, or to replace legitimate links and files with malicious ones. The security firm noted that the flaw affected both the web and mobile versions of the messaging application.
In its own blog post, Facebook said it conducted a thorough investigation of the problem and determined that it only affected Messenger for Android. It’s worth noting that Check Point’s proof-of-concept also targets the Android app.
According to Facebook, on most clients, including the one for iOS, the first message is displayed whenever messages with a duplicate ID are detected. A configuration flaw in Messenger for Android resulted in the last message being displayed instead.
Facebook pointed out that the “message duplication” bug can be exploited by an attacker only to change their own messages, and not someone else’s messages. While malicious hackers can exploit the vulnerability to replace harmless links and files with phishing websites and malware, Facebook says an attack would likely be blocked by its anti-malware and anti-spam filters, which also analyze the messages that replace the original one.
“This bug affected the Android Messenger interface, but the message content was still correctly reflected on other platforms. We also confirmed that the content self-corrected on Android when the application refetched message data from the server, so it wasn’t permanently changed,” Facebook said.
The company rolled out a fix, but classified the issue as a “simple misconfiguration” with a “low risk.”
Facebook reported in February that it had paid out more than $4.3 million to researchers since the launch of its bug bounty program in 2011. The list of flaws that earned hackers rewards from the social networking giant this year were related to account hijacking ($7,500), the password reset system ($15,000), third-party software ($10,000), and the login system ($5,000).