Vulnerabilities in Facebook Chat and Messenger exploitable with basic HTML knowledge

Check Point’s security research team has discovered vulnerabilities in Facebook’s standard online Chat function, and its separately downloaded Messenger app.

The vulnerabilities, if exploited, would allow anyone to essentially take control of any message sent by Chat or Messenger, modify its contents, distribute malware and even insert automation techniques to outsmart security defences.

Facebook vulnerability chat

An attacker can reveal the message_id

To exploit the vulnerability, an attacker simply needed to identify the unique ID for the sent message he or she is targeting. This is easily achieved by sending a request to the link:

www.facebook.com/ajax/mercury/thread_info.php

This process requires only very basic HTML knowledge and a browser debug tool, free on any browser. Once the message ID is identified, the attacker is able to alter the content of the messages and send it to the Facebook servers without the original user being alerted.

Altering the content of sent messages holds hugely attractive possibilities for attackers. They can insert malware, including ransomware, into a previously benign Facebook message chain, or they can manipulate message contents and history for fraudulent purposes – for example to falsify details of an agreement, or transaction.

Facebook vulnerability chat

Altering the message

“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing,” said Oded Vanunu, Head of Products Vulnerability Research at Check Point. “What’s worse, the hacker could implement automation techniques to outsmart security measures, allowing them to launch long-term, insidious attacks. We applaud Facebook for such a rapid response, and for working with us to put security first for their users.”

Here’s a video of the vulnerability in action:

In the first quarter of 2016, Facebook announced that it had reached 1.65 billion monthly active members, while the Messenger app alone passed 800 million monthly users earlier this year, making it a potentially rich hunting ground for cybercriminals.

The vulnerability was fully disclosed to the Facebook Security team earlier this month. Facebook immediately responded, and after a joint effort the vulnerability was patched. Facebook users do not need to make any changes to their accounts.