Bug in Facebook Messenger allows attackers to see who users chat with

• The flaw exists in the desktop website of Facebook Messenger.
• The iframe elements in the website could be exploited by attackers to determine who the users chat with.

It seems that security and privacy woes continue to trouble Facebook. In a recent incident, Ron Masas, a security researcher at Imperva discovered a security bug in the platform’s messaging website Messenger.

This flaw was found in the application’s desktop website. Attackers could insert malicious links which upon clicking, would allow them to see users’ conversations.

The big picture

• Ron Masas noticed that the web application of Messenger used iframe elements to power the user interface. He found that these iframes could be used to get information about the ‘states’ which can give clues about the users' conversations in Messenger.
• The number of iframes changed every time a user contacted another user through Messenger.
• Due to this reason, attackers could trick users into clicking malicious webpages where they would distract the users while they execute the exploit in the background tab of Messenger.
• To execute the exploit, the attacker would reload Messenger in the background and count the number of iframes in the page which tells us whether they have been chatting with specific users.
• Thus, attackers can perform a Cross-Site Frame Leakage attack which is a type of side-channel attack on the end user's browser. However, attackers cannot expose the complete content of the conversation.

The issue with iframes - The number of iframes loaded in the page gives information about the state of the webpage.

As per the researcher's blog, "When the current user has not been in contact with a specific user, the iframe count would reach three and then always drop suddenly for a few milliseconds. This lets an attacker reliably distinguish between the full and empty states. This could let him remotely check if the current user has chatted with a specific person or business, which would violate those users’ privacy."

Thus, the researcher was able to leak the state of the cross-origin window by analyzing the raw pattern of iframe count over time or by timing certain “milestones” of the pattern.

What actions were taken?

When the researcher reached out to Facebook regarding the security issue, they tried randomizing the number of iframes on the page. However, the researcher could still adapt his algorithm to leak the state. FInally, Facebook removed all the iframe elements present in the user interface of Messenger to get rid of the issue.

The researcher also emphasized the need to focus on the threat of such browser-based attacks which are often neglected in many websites.