14 DAY TRIAL // Facebook has fixed a vulnerability in its Messenger IM chat application, for both the Web and mobile versions, which allowed attackers to edit or delete any existing chat message.
Check Point researcher Roman Zaikin discovered the issue at the start of the month, and Facebook released prompt updates to address the problem before being exploited.
An attacker can edit any message if they know the message_id value
According to Zaikin, the vulnerability is trivial to exploit. The way the Facebook Messenger chat works is by relaying messages between two users via Facebook's servers. Each message has a randomly generated message_id value, unique to each message.
Zaikin realized that, by querying the facebook.com/ajax/mercury/thread_info.php URL, he could discover each message's ID.
The only condition is that the attacker has a way to log and store the message request. This can be done via proxy servers, or by infecting the user's device with malware that will record these message requests and then send them to the threat actor's server.
Assuming the attacker has gotten hold of an IM's ID, Zaikin developed a trivial automated attack that would send a message with the same ID and rewrite the original message's content.
Since the mobile version of the Messenger app allows users to delete messages, the same automated attack can also be used to delete existing messages.
Attack is extremely dangerous, has serious repercussions
The attack is extremely dangerous because it allows IM spammers to constantly update their messages with updated malicious URLs, in case authorities shut down their original servers.
Furthermore, since IM chat logs are admitted as evidence in court, an attacker could also modify existing conversations to shift blame to the wrong person, or clear a crook of any wrongdoing.
"By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing, What’s worse. The hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations," said Oded Vanunu, Head of Products Vulnerability Research at Check Point. "We applaud Facebook for such a rapid response and putting security first for their users."
Below is a video by Raikin, presenting the Facebook Messenger vulnerability in action.
UPDATE: Facebook has told Softpedia about a series of details left out of the Check Point report. A Facebook representative says the bug only allowed attackers to change their own messages & it was temporarily until the app refetched data with the server. All original messages would still be documented & accessible on the other platforms, so there was always a source of truth that reflected messages correctly.
Furthermore, users wouldn't be able to inject any content, including links & malware, that would have been blocked in the original messages. Facebook says that all messages are still sent through our anti-malware and anti-spam filters.
