Vulnerability in Facebook Messenger worked in both app and browser

Facebook Messenger had a vulnerability that could be exploited with basic HTML knowledge. The vulnerability occurred in both the app version and the online chat function within the Facebook website. The problem has now been resolved.

The vulnerability allowed a user to change a message afterwards, such as adjusting or deleting photos, links, files and of course the text message itself. After security company Checkpoint reported the leak, Facebook immediately closed the leak. The greatest danger, according to Checkpoint, lies in manipulating messages as part of fraud campaigns and as a distribution platform for ransomware. Often, ransomware is soon stopped being distributed via email because the content of the message is known and then stopped. If someone can post those links in a place that is no longer monitored, this extends the duration of ransomware campaigns.

To exploit the vulnerability, the attacker needed to obtain the message identification number, the message_id parameter. An attacker could do this by sending a request to www.facebook.com/ajax/mercury/thread_info.php. An attacker was then able to modify the message without sending a push message to the other user.

A hacker had to be able to log in to an account with which the chat was conducted in the past in order to be able to intercept a chat. This could be the person himself who pretends to be a friend and thus establishes ties with many people, but actually has malicious intent or someone who has managed to hijack someone’s account and then manipulate chats.