Facebook Messenger bug authorised researchers to change review history

204 views Leave a comment

Security researchers detected a bug in Facebook Messenger that would concede an assailant to modify or mislay text, pictures, links, and other information from chats in a Messenger Android app and in desktop Facebook discuss — opening adult some of Messenger’s 900 million users to intensity fraud.

The bug could be used to alter conversations and widespread malware, according to researchers during a confidence company Check Point who detected a bug. A user could change a calm of her chats in a Android app and on desktop, creation it seem as if parties in a review had pronounced things they didn’t indeed say. The ability to cgange links in Messenger also done users exposed to malware placement — an assailant could barter out a normal couple for a antagonistic one and remonstrate a target to click on it.

Facebook works to prevent malware from swelling in Messenger by restraint users from promulgation links to famous malware and phishing sites. The association also shares threat intelligence with other confidence researchers on Threat Exchange, a amicable media height for developers. But new malware could still trip through.

Only parties in a review could feat a bug — so if we trust your Facebook friends, we substantially were not during risk. Since a bug usually impacted a Messenger app and in-browser discuss on Facebook.com, a authentic conversations would be logged on other versions of Messenger, such as Messenger.com. If someone’s chats were manipulated regulating a bug, he or she would still be means to entrance a strange calm in another chronicle of Messenger.

“By exploiting this vulnerability, cybercriminals could change a whole discuss thread but the victim realizing,” Oded Vanunu, conduct of products disadvantage investigate during Check Point, pronounced in a statement. “What’s worse, a hacker could exercise automation techniques to continually outmanoeuvre confidence measures for long-term discuss alterations. We extol Facebook for such a rapid response and putting confidence initial for their users.”

Facebook’s confidence group patched a Messenger bug in May after they were alerted to a problem by Check Point. Since a early days of Facebook, a association has run a bug annuity module to inspire confidence researchers and whitehat hackers to news problems to a company. A Facebook orator told TechCrunch that a module has “proven impossibly valuable.”

Facebook explained a bug in a blog post, observant that a changes to a review were not permanent. “We also reliable that a calm self-corrected on Android when a focus refetched summary information from a server, so it wasn’t henceforth changed,” Facebook said.

This post was updated 6/7 during 1:00 p.m. with additional sum about Facebook’s blog post and a demo video of a bug.