In November last year, Facebook was identified with a vulnerability which could let the hackers get private information about Facebook users and their friends by accessing company API in an unauthorized manner.
And now, the same vulnerability has been found in Facebook’s Messenger app. Exploiting this vulnerability, a hacker can use ‘any website to expose who you have been messaging with’. The bug was identified by Israel’s security research group, Imperva which earlier had identified the Facebook’s bug as well. Facebook’s bug was fixed and patched by the company.
The bug in Messenger would let any hacker extract personal user data if the user had visited any malicious website on Google Chrome and clicked on the website while being logged onto Facebook. This would give the hackers access to run any queries on a new Facebook tab from where they could extract the user’s personal data.
After the research group told the social networking giant, Facebook tried to fix the problem by randomizing iframe elements. But later Imperva pointed out that the fix couldn’t rectify the issue entirely as any hacker could design an algorithm that would let him access to the user’s contacts. After that, Facebook removed the iframes from Messenger. The company told The Verge that they appreciate the researcher’s submission to their bug bounty program. The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook.
While the Imperva researcher, Ron Masas wrote in his report, “Browser-based side channel attacks are still an overlooked subject. While big players like Facebook and Google are catching up, most of the industry is still unaware.”
Although it is not the first time Facebook has come in news for the wrong reason. Since the beginning of last year, the social networking platform faced constant fire from users and government for user privacy violation and storing user data without their consent. In February 2019, Facebook was criticised when it was found out that the company was paying teenagers and youngsters for letting it monitor their internet usage. Last year, millions of user’s data had been leaked due to a data breach on Facebook. And earlier this week we found out that Facebook isn’t letting its user hide their phone numbers from public eyes. For a company whose goal is to provide “privacy-focused communications platform”, Facebook is failing miserably.