Back to Home

Facebook Messenger was vulnerable to an attack requiring basic HTML knowledge / Inoventica Services Blog

facebook · facebook messenger · html · vulnerability · chat · correspondence · message id

Facebook Messenger was vulnerable to an attack requiring basic HTML knowledge

    image

    A team of Check Point security experts discovered in the standard functionality of Facebook, as well as in Facebook Messenger, a vulnerability that allowed access to any user messages sent via a social network.

    Specifically, the exploit allowed anyone to access user messages and modify their contents, that is, for example, to potentially spread malware.

    To use the exploit, the attacker needed to get only a unique message ID by sending a request to www.facebook.com/ajax/mercury/thread_info.php .

    The whole operation requires only basic knowledge of HTML and a modern browser, which has a debugging mode. After finding the message ID, the attacker can change it, messages, content and send it to the Facebook server, bypassing the real user account.

    image
    Modifying a message

    What was the danger of this vulnerability? Facebook, as a social network, has long become a part of the life of its users and is used for a variety of purposes: as the transfer of information, links and other things, and so on and to achieve preliminary agreements and transactions. The ability to change the contents of correspondence without hacking an account gives attackers a tool to pressure the user and falsify data.


    Video showing the exploit’s capabilities

    After the vulnerability was discovered, experts reported it to Facebook and the hole was quickly closed.

    Read Next