It seems that security and privacy woes continue to trouble Facebook. In a recent incident, Ron Masas, a security researcher at Imperva discovered a security bug in the platform’s messaging website Messenger.
This flaw was found in the application’s desktop website. Attackers could insert malicious links which upon clicking, would allow them to see users’ conversations.
The big picture
The issue with iframes - The number of iframes loaded in the page gives information about the state of the webpage.
As per the researcher's blog, "When the current user has not been in contact with a specific user, the iframe count would reach three and then always drop suddenly for a few milliseconds. This lets an attacker reliably distinguish between the full and empty states. This could let him remotely check if the current user has chatted with a specific person or business, which would violate those users’ privacy."
Thus, the researcher was able to leak the state of the cross-origin window by analyzing the raw pattern of iframe count over time or by timing certain “milestones” of the pattern.
What actions were taken?
When the researcher reached out to Facebook regarding the security issue, they tried randomizing the number of iframes on the page. However, the researcher could still adapt his algorithm to leak the state. FInally, Facebook removed all the iframe elements present in the user interface of Messenger to get rid of the issue.
The researcher also emphasized the need to focus on the threat of such browser-based attacks which are often neglected in many websites.