Users of Facebook’s Messenger app may not quite know it, but they had been at risk of having their messages and conversations tampered with, no thanks to a vulnerability in the popular instant messaging platform.
Facebook has since patched the vulnerability after it was disclosed to them, according to security vendor Check Point software.
“The vulnerability allows a malicious user to change a conversation thread in the Facebook Online Chat & Messenger App. By abusing this vulnerability, it is possible to modify or remove any sent message, photo, file, link, and much more,” Check Point said in a June 7 blog post.
“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing. What’s worse, the hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations,” said Oded Vanunu, head of Check Point’s products vulnerability research unit.
Check Point said that before the flaw was fixed, malicious users can manipulate message history as part of fraud campaigns.
It said an attacker can potentially change the history of a conversation to claim he had reached a falsified agreement with the victim, or simply change its terms.
Hackers can tamper with, alter or hide important information in Facebook chat communications which can have legal repercussions, it added.
Such chats can be admitted as evidence in legal investigations and this can allow an attacker to hide evidence of a crime or even incriminate an innocent person, it said.
Worse, it said the flaw can be used to distribute malware as an attacker can change a legitimate link or file into a malicious one, and persuade the user to open it.
* Technical analysis
Check Point security researcher Roman Zaikin found the vulnerability had let hackers delete messages in a chat replace text, links, and files.
Investigation showed an attacker can reveal the “message_id” by sending a request to: www.facebook.com/ajax/mercury/thread_info.php.
The attacker can then alter the content of the message and send it to the Facebook servers, with the content changed without a push message to the users’ PC or mobile device.
The hacker can even potentially maintain an active command-and-control server.