The Check Point security research team discovered a vulnerability in Facebook’s Messenger (both the online version and the mobile app) that would allow an attacker to modify the contents of someone’s chat history as well as give them the ability to spread malware through the chat service.
The attacker would first need to get the ID of a message, which could be easily obtained with a browser debugging tool and some basic HTML knowledge. Once the ID of the message is identified, the attacker can send the modified message to Facebook’s servers, without the user being alerted about it.
This form of attack can be a profitable strategy for bad actors, who could send malware or ransomware to people’s chats by altering one of the existing messages to contain a link to the malware. The attack could also be used to falsify certain details of an agreement or transaction.
One way this type of attack could be avoided in the future is for Facebook to adopt end-to-end encryption. Then, the messages would be stored on users’ devices with no way for Facebook’s servers to access the contents of those messages or alter them (at least if the encryption is properly authenticated).
This vulnerability existed because messages are normally stored on Facebook’s servers, and Facebook could also modify the messages itself if it so desired. The attackers are simply using a capability that Facebook already has.
This is why end-to-end encryption can be highly valuable in protecting user data. If the data is out of the company’s hands, then no hacking or data breach could expose millions of people’s data in one go.
The Facebook Messenger currently has 800 million active users, making it one of the largest messaging platforms around, but still behind Whatsapp’s one billion users. Whatsapp has already adopted end-to-end encryption by default, and Facebook will also reportedly adopt end-to-end encryption in the coming months. However, it will be opt-in, so users will have to manually enable it, which means most will either not be aware of it or won’t bother to do it. Google has adopted a similar end-to-end encryption strategy with its new Allo messenger.
CheckPoint Security has already alerted Facebook about the message modification vulnerability, and Facebook patched the flaw earlier this month, so users won’t have to worry about this specific vulnerability anymore, at least. However, similar attacks could still happen in the future, as long as Facebook has access to the messages, making those messages and the popular chat service a tempting target to bad actors.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.