Facebook Messenger Flaw Allows Attackers To Modify Chat Contents, Spread Malware

The Check Point security research team discovered a vulnerability in Facebook’s Messenger (both the online version and the mobile app) that would allow an attacker to modify the contents of someone’s chat history as well as give them the ability to spread malware through the chat service.

The attacker would first need to get the ID of a message, which could be easily obtained with a browser debugging tool and some basic HTML knowledge. Once the ID of the message is identified, the attacker can send the modified message to Facebook’s servers, without the user being alerted about it.

This form of attack can be a profitable strategy for bad actors, who could send malware or ransomware to people’s chats by altering one of the existing messages to contain a link to the malware. The attack could also be used to falsify certain details of an agreement or transaction.

One way this type of attack could be avoided in the future is for Facebook to adopt end-to-end encryption. Then, the messages would be stored on users’ devices with no way for Facebook’s servers to access the contents of those messages or alter them (at least if the encryption is properly authenticated).

This vulnerability existed because messages are normally stored on Facebook’s servers, and Facebook could also modify the messages itself if it so desired. The attackers are simply using a capability that Facebook already has.

This is why end-to-end encryption can be highly valuable in protecting user data. If the data is out of the company’s hands, then no hacking or data breach could expose millions of people’s data in one go.

The Facebook Messenger currently has 800 million active users, making it one of the largest messaging platforms around, but still behind Whatsapp’s one billion users. Whatsapp has already adopted end-to-end encryption by default, and Facebook will also reportedly adopt end-to-end encryption in the coming months. However, it will be opt-in, so users will have to manually enable it, which means most will either not be aware of it or won’t bother to do it. Google has adopted a similar end-to-end encryption strategy with its new Allo messenger.

CheckPoint Security has already alerted Facebook about the message modification vulnerability, and Facebook patched the flaw earlier this month, so users won’t have to worry about this specific vulnerability anymore, at least. However, similar attacks could still happen in the future, as long as Facebook has access to the messages, making those messages and the popular chat service a tempting target to bad actors.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • dstarr3
    I've been using the mobile website on my phone to access Facebook messages for the past couple years, because I am not installing any more Facebook bloatware on my phone. But the mobile website has been bugging me lately that pretty soon messages are only going to be accessible on mobile via the app. So, I guess I'm just not going to be reading my messages anymore soon. Because, f*** Facebook. F*** them hard.
    Reply
  • surphninja
    Somebody warn grandma.

    It'll be a cold day in hell when facebook offers end-to-end encryption. They would never voluntarily give up access to anything.
    Reply
  • DonQuixoteMC
    I hate when 'bad actors' take their frustration out on the world by spreading malware ;)
    Reply
  • Ed Chombeau
    That started a year ago; hackers were stealing/duplicating identities; and sending messengers messages.
    Reply
  • virtualban
    I've been using the mobile website on my phone to access Facebook messages for the past couple years, because I am not installing any more Facebook bloatware on my phone. But the mobile website has been bugging me lately that pretty soon messages are only going to be accessible on mobile via the app. So, I guess I'm just not going to be reading my messages anymore soon. Because, f*** Facebook. F*** them hard.
    Since I can't upvote you more...
    Reply
  • Kimonajane
    Darn you caught the it now FB will have to put another backdoor, I mean flaw somewhere else for the FEDS. Sounds like Windows to me.
    Facebook & Twitter are for tools & fools. Now be a good little tool and make sure you "like" that big corporation when they target you for advertisements and you visit their page, fools.
    Reply
  • Avus
    One way this type of attack could be avoided in the future is for Facebook to adopt end-to-end encryption. Then, the messages would be stored on users’ devices with no way for Facebook’s servers to access the contents of those messages or alter them (at least if the encryption is properly authenticated).

    There is better way... DO NOT USE FACEBOOK.
    Reply
  • Monica_9
    Hello,Mr Walker is a great hacker and i cant just keep this to myself cos he saved my life and help save my kids from a cheating husbands with all the evidences he helped unleash for me about him . hit him up on greyhatshadowhacker2002@gmail.com or text him on +1512 766 5142.in case he doesn't reply on time cos it seem he is always busy tell him Monica referred you
    Reply
  • Monica_9
    Hello,Mr Walker is a great hacker and i cant just keep this to myself cos he saved my life and help save my kids from a cheating husbands with all the evidences he helped unleash for me about him . hit him up on greyhatshadowhacker2002@gmail.com or text him on +1512 766 5142.in case he doesn't reply on time cos it seem he is always busy tell him Monica referred you
    Reply